VYPR

CWE-319

Cleartext Transmission of Sensitive Information

BaseDraftLikelihood: High

Description

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-102 · CAPEC-117 · CAPEC-383 · CAPEC-477 · CAPEC-65

CVEs mapped to this weakness (302)

page 8 of 16
  • CVE-2026-36610MedJun 3, 2026
    risk 0.38cvss 5.9epss 0.00

    Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding. The firmware contains no TLS implementation, allowing man-in-the-middle interception of DDNS service credentials.

  • CVE-2023-52951MedJun 3, 2026
    risk 0.38cvss 5.9epss 0.00

    A cleartext transmission of sensitive information vulnerability in Synology Note Station Client before 2.2.4-703 allows man-in-the-middle attackers to obtain user credential.

  • CVE-2026-10584MedJun 2, 2026
    risk 0.38cvss 5.9epss 0.00

    Proxy server in Graph Explorer before 3.0.1 falls back to HTTP when certificate files are missing, which might allow remote threat actors to obtain sensitive information via interception of requests intended to be sent over HTTPS. To remediate this issue, users should upgrade…

  • CVE-2026-44726higMay 27, 2026
    risk 0.38cvss epss 0.00

    ## Summary A flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext after a connection retry. When `autoSelectFamily was enabled and the first address-family attempt failed, the socket reinitialization path reused a…

  • CVE-2026-5119MedMar 30, 2026
    risk 0.38cvss 5.9epss 0.00

    A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies,…

  • CVE-2025-27722MedApr 9, 2025
    risk 0.38cvss 5.9epss 0.00

    Cleartext transmission of sensitive information issue exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. If exploited, a man-in-the-middle attack may allow a remote unauthenticated attacker to eavesdrop the communication and obtain the authentication information.

  • CVE-2024-50624MedOct 28, 2024
    risk 0.38cvss 5.9epss 0.00

    ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-middle attackers to trigger use of an attacker-controlled mail server because cleartext HTTP is used for a URL such as http://autoconfig.example.com or http://example.com/.well-known/autoconfig for retrieving the…

  • CVE-2018-1454MedJun 5, 2018
    risk 0.38cvss 5.9epss 0.01

    IBM InfoSphere Information Server 11.3, 11.5, and 11.7 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man…

  • CVE-2017-16041MedJun 4, 2018
    risk 0.38cvss 5.9epss 0.01

    ikst versions before 1.1.2 download resources over HTTP, which leaves it vulnerable to MITM attacks.

  • CVE-2018-0283MedMay 2, 2018
    risk 0.38cvss 5.8epss 0.01

    A vulnerability in the detection engine of Cisco Firepower System Software could allow an unauthenticated, remote attacker to restart an instance of the Snort detection engine on an affected device, resulting in a brief denial of service (DoS) condition. The vulnerability is due…

  • CVE-2018-0281MedMay 2, 2018
    risk 0.38cvss 5.8epss 0.01

    A vulnerability in the detection engine of Cisco Firepower System Software could allow an unauthenticated, remote attacker to restart an instance of the Snort detection engine on an affected device, resulting in a brief denial of service (DoS) condition. The vulnerability is due…

  • CVE-2018-5471MedMar 6, 2018
    risk 0.38cvss 5.9epss 0.01

    A Cleartext Transmission of Sensitive Information issue was discovered in Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches. A cleartext transmission of sensitive information vulnerability in the web interface has been…

  • CVE-2018-6019MedMar 6, 2018
    risk 0.38cvss 5.9epss 0.00

    Samsung Display Solutions App before 3.02 for Android allows man-in-the-middle attackers to spoof B2B content by leveraging failure to use encryption during information transmission.

  • CVE-2017-1232MedOct 26, 2017
    risk 0.38cvss 5.9epss 0.01

    IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. IBM X-Force ID: 123911.

  • CVE-2017-8444MedSep 29, 2017
    risk 0.38cvss 5.9epss 0.01

    The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper. If an attacker is able to man in the middle (MITM) the traffic between the client-forwarder and ZooKeeper they could potentially obtain sensitive data.

  • CVE-2017-8851MedMay 11, 2017
    risk 0.38cvss 5.9epss 0.00

    An issue was discovered on OnePlus One and X devices. Due to a lenient updater-script on the OnePlus One and X OTA images, the fact that both products use the same OTA verification keys, and the fact that both products share the same 'ro.build.product' system property, attackers…

  • CVE-2017-8850MedMay 11, 2017
    risk 0.38cvss 5.9epss 0.00

    An issue was discovered on OnePlus One, X, 2, 3, and 3T devices. Due to a lenient updater-script in the OnePlus OTA images, and the fact that both ROMs use the same OTA verification keys, attackers can install HydrogenOS over OxygenOS and vice versa, even on locked bootloaders,…

  • CVE-2017-2412MedApr 2, 2017
    risk 0.38cvss 5.9epss 0.01

    An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "iTunes Store" component. It allows man-in-the-middle attackers to modify the client-server data stream to iTunes sandbox web services by leveraging use of cleartext HTTP.

  • CVE-2026-21742MedApr 14, 2026
    risk 0.37cvss 5.7epss 0.00

    A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise…

  • CVE-2026-2539MedFeb 15, 2026
    risk 0.37cvss epss 0.00

    The RF communication protocol in the Micca KE700 car alarm system does not encrypt its data frames. An attacker with a radio interception tool (e.g., SDR) can capture the random number and counters transmitted in cleartext, which is sensitive information required for…