VYPR

CWE-319

Cleartext Transmission of Sensitive Information

BaseDraftLikelihood: High

Description

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-102 · CAPEC-117 · CAPEC-383 · CAPEC-477 · CAPEC-65

CVEs mapped to this weakness (302)

page 7 of 16
  • CVE-2024-45361MedMar 27, 2025
    risk 0.42cvss 6.5epss 0.00

    A protocol flaw vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to leak sensitive user information.

  • CVE-2025-25728MedFeb 28, 2025
    risk 0.42cvss 6.5epss 0.00

    Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 were discovered to send communications to the update API in plaintext, allowing attackers to access sensitive information via a man-in-the-middle attack.

  • CVE-2024-48121MedJan 15, 2025
    risk 0.42cvss 6.5epss 0.00

    The HI-SCAN 6040i Hitrax HX-03-19-I was discovered to transmit user credentials in cleartext over the GIOP protocol. This allows attackers to possibly gain access to sensitive information via a man-in-the-middle attack.

  • CVE-2024-27163MedJun 14, 2024
    risk 0.42cvss 6.5epss 0.00

    Toshiba printers will display the password of the admin user in clear-text and additional passwords when sending 2 specific HTTP requests to the internal API. An attacker stealing the cookie of an admin or abusing a XSS vulnerability can recover this password in clear-text and…

  • CVE-2024-28275MedApr 3, 2024
    risk 0.42cvss 6.5epss 0.00

    Puwell Cloud Tech Co, Ltd 360Eyes Pro v3.9.5.16(3090516) was discovered to transmit sensitive information in cleartext. This vulnerability allows attackers to intercept and access sensitive information, including users' credentials and password change requests.

  • CVE-2021-22946HigSep 29, 2021
    risk 0.42cvss 7.5epss 0.04

    A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed…

  • CVE-2018-16225MedSep 18, 2018
    risk 0.42cvss 6.5epss 0.01

    The QBee MultiSensor Camera through 4.16.4 accepts unencrypted network traffic from clients (such as the QBee Cam application through 1.0.5 for Android and the Swisscom Home application up to 10.7.2 for Android), which results in an attacker being able to reuse cookies to bypass…

  • CVE-2018-11477MedMay 30, 2018
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered on Vgate iCar 2 Wi-Fi OBD2 Dongle devices. The data packets that are sent between the iOS or Android application and the OBD dongle are not encrypted. The combination of this vulnerability with the lack of wireless network protection exposes all…

  • CVE-2017-12716MedApr 25, 2018
    risk 0.42cvss 6.5epss 0.00

    Abbott Laboratories Accent and Anthem pacemakers manufactured prior to Aug 28, 2017 transmit unencrypted patient information via RF communications to programmers and home monitoring units. Additionally, the Accent and Anthem pacemakers store the optional patient information…

  • CVE-2017-17844MedDec 27, 2017
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in Enigmail before 1.9.9. A remote attacker can obtain cleartext content by sending an encrypted data block (that the attacker cannot directly decrypt) to a victim, and relying on the victim to automatically decrypt that block and then send it back to the…

  • CVE-2017-14009MedOct 17, 2017
    risk 0.42cvss 6.5epss 0.01

    An Information Exposure issue was discovered in ProMinent MultiFLEX M10a Controller web interface. When an authenticated user uses the Change Password feature on the application, the current password for the user is specified in plaintext. This may allow an attacker who has been…

  • CVE-2017-6665MedAug 7, 2017
    risk 0.42cvss 6.5epss 0.00

    A vulnerability in the Autonomic Networking feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to reset the Autonomic Control Plane (ACP) of an affected system and view ACP packets that are transferred in clear text within…

  • CVE-2026-25599MedJun 1, 2026
    risk 0.41cvss 6.3epss 0.00

    Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s web control interface. Older Orca…

  • CVE-2026-32745MedMar 13, 2026
    risk 0.41cvss 6.3epss 0.00

    In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings

  • CVE-2026-1777HigFeb 2, 2026
    risk 0.40cvss 7.2epss 0.00

    The Amazon SageMaker Python SDK before v3.2.0 and v2.256.0 includes the ModelBuilder HMAC signing key in the cleartext response elements of the DescribeTrainingJob function. A third party with permissions to both call this API and permissions to modify objects in the Training…

  • CVE-2018-0025MedJul 11, 2018
    risk 0.40cvss 6.1epss 0.01

    When an SRX Series device is configured to use HTTP/HTTPS pass-through authentication services, a client sending authentication credentials in the initial HTTP/HTTPS session is at risk that these credentials may be captured during follow-on HTTP/HTTPS requests by a malicious…

  • CVE-2026-47255higMay 29, 2026
    risk 0.39cvss epss 0.00

    The current upstream main branch at commit 7e0206d was reviewed, and the fix-first patch set was rebased on 2026-05-18. The patches cover: validated and bound inactive-agent hour filtering; storage SQL identifier validation; metadata-backed ownership checks for raw storage SQL;…

  • CVE-2025-5087MedJun 24, 2025
    risk 0.39cvss epss 0.00

    Kaleris NAVIS N4 ULC (Ultra Light Client) communicates insecurely using zlib-compressed data over HTTP. An attacker capable of observing network traffic between Ultra Light Clients and N4 servers can extract sensitive information, including plaintext credentials.

  • CVE-2024-5631MedJul 9, 2024
    risk 0.39cvss epss 0.00

    Longse NVR (Network Video Recorder) model NVR3608PGE2W, as well as products based on this device, are transmitting user's login and password to a remote control service without using any encryption. This enables an on-path attacker to eavesdrop the credentials and subsequently…

  • CVE-2017-6341MedFeb 27, 2017
    risk 0.39cvss 5.9epss 0.09

    Dahua DHI-HCVR7216A-S3 devices with NVR Firmware 3.210.0001.10 2016-06-06, Camera Firmware 2.400.0000.28.R 2016-03-29, and SmartPSS Software 1.16.1 2017-01-19 send cleartext passwords in response to requests from the Web Page, Mobile Application, and Desktop Application…