VYPR

CWE-319

Cleartext Transmission of Sensitive Information

BaseDraftLikelihood: High

Description

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-102 · CAPEC-117 · CAPEC-383 · CAPEC-477 · CAPEC-65

CVEs mapped to this weakness (302)

page 9 of 16
  • CVE-2025-0432MedJan 28, 2025
    risk 0.37cvss 5.7epss 0.00

    EWON Flexy 202 transmits user credentials in clear text with no encryption when a user is added, or user credentials are changed via its webpage.

  • CVE-2025-13454MedJan 14, 2026
    risk 0.36cvss 5.5epss 0.00

    A potential vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to gain access to sensitive device information.

  • CVE-2025-22493MedMar 5, 2025
    risk 0.36cvss 5.6epss 0.00

    Secure flag not set and SameSIte was set to Lax in the Foreseer Reporting Software (FRS). Absence of this secure flag could lead into the session cookie being transmitted over unencrypted HTTP connections. This security issue has been resolved in the latest version of FRS…

  • CVE-2017-7143MedOct 23, 2017
    risk 0.36cvss 5.5epss 0.00

    An issue was discovered in certain Apple products. macOS before 10.13 is affected. The issue involves the "Captive Network Assistant" component. It allows remote attackers to discover cleartext passwords in opportunistic circumstances by sniffing the network during use of the…

  • CVE-2017-6410MedMar 2, 2017
    risk 0.36cvss 5.5epss 0.01

    kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls the PAC FindProxyForURL function with a full https URL (potentially including Basic Authentication credentials, a query string, or PATH_INFO), which allows remote attackers to obtain sensitive information…

  • CVE-2007-5626MedOct 23, 2007
    risk 0.36cvss 5.5epss 0.00

    make_catalog_backup in Bacula 2.2.5, and probably earlier, sends a MySQL password as a command line argument, and sometimes transmits cleartext e-mail containing this command line, which allows context-dependent attackers to obtain the password by listing the process and its…

  • CVE-2025-62310MedMay 14, 2026
    risk 0.35cvss 5.4epss 0.00

    HCL AION is affected by a vulnerability where encryption is not enforced for certain data transmissions or operations. This may expose sensitive information to potential interception or unauthorized access under specific conditions.

  • CVE-2024-28169MedNov 13, 2024
    risk 0.35cvss 5.4epss 0.00

    Cleartext transmission of sensitive information for some BigDL software maintained by Intel(R) before version 2.5.0 may allow an authenticated user to potentially enable denial of service via adjacent access.

  • CVE-2017-7147MedOct 23, 2017
    risk 0.35cvss 5.3epss 0.01

    An issue was discovered in certain Apple products. The Apple Support app before 1.2 for iOS is affected. The issue involves the "Analytics" component. It allows remote attackers to obtain sensitive analytics information by leveraging its presence in a cleartext HTTP transmission…

  • CVE-2017-7078MedOct 23, 2017
    risk 0.35cvss 5.3epss 0.01

    An issue was discovered in certain Apple products. iOS before 11 is affected. macOS before 10.13 is affected. The issue involves the "Mail Drafts" component. It allows remote attackers to obtain sensitive information by reading unintended cleartext transmissions.

  • CVE-2017-3305MedApr 24, 2017
    risk 0.35cvss 5.3epss 0.01

    Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: C API). Supported versions that are affected are 5.5.55 and earlier and 5.6.35 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple…

  • CVE-2017-3815MedMar 17, 2017
    risk 0.35cvss 5.3epss 0.01

    An API Privilege vulnerability in Cisco TelePresence Server Software could allow an unauthenticated, remote attacker to emulate Cisco TelePresence Server endpoints. Affected Products: This vulnerability affects Cisco TelePresence Server MSE 8710 Processors that are running a…

  • CVE-2017-6370MedMar 17, 2017
    risk 0.35cvss 5.3epss 0.01

    TYPO3 7.6.15 sends an http request to an index.php?loginProvider URI in cases with an https Referer, which allows remote attackers to obtain sensitive cleartext information by sniffing the network and reading the userident and username fields.

  • CVE-2026-38740MedMay 14, 2026
    risk 0.34cvss 5.3epss 0.00

    Foscam VD1 Video Doorbell before V5.3.13_1072 is vulnerable to Cleartext Transmission of Sensitive Information. The device transmits sensitive Session Description Protocol (SDP), including ICE credentials and candidates, in cleartext over network interfaces. An attacker with…

  • CVE-2026-32683MedMay 9, 2026
    risk 0.34cvss 5.3epss 0.00

    Some EZVIZ products utilize older versions of cloud feature modules with legacy API interfaces, which pose a data transmission risk. Attackers can exploit this by eavesdropping on network requests to obtain data.Users are advised to upgrade the app to the latest version and…

  • CVE-2026-40431MedApr 24, 2026
    risk 0.34cvss 5.3epss 0.00

    A vulnerability exists in SenseLive X3050’s web management interface due to its reliance on unencrypted HTTP for all administrative communication. Because management traffic, including authentication attempts and configuration data, is transmitted in cleartext, an attacker…

  • CVE-2025-31981MedApr 21, 2026
    risk 0.34cvss 5.3epss 0.00

    HCL BigFix Service Management (SM) Discovery is vulnerable to unenforced encryption due to port 80 (HTTP) being open, allowing unencrypted access.  An attacker with access to the network traffic can sniff packets from the connection and uncover the data.

  • CVE-2025-0136MedMay 14, 2025
    risk 0.34cvss epss 0.00

    Using the AES-128-CCM algorithm for IPSec on certain Palo Alto Networks PAN-OS® firewalls (PA-7500, PA-5400, PA-5400f, PA-3400, PA-1600, PA-1400, and PA-400 Series) leads to unencrypted data transfer to devices that are connected to the PAN-OS firewall through IPSec. This…

  • CVE-2024-40595MedOct 24, 2024
    risk 0.34cvss 5.3epss 0.00

    An authentication-bypass issue in the RDP component of One Identity Safeguard for Privileged Sessions (SPS) On Premise before 7.5.1 (and LTS before 7.0.5.1) allows man-in-the-middle attackers to obtain access to privileged sessions on target resources by intercepting cleartext…

  • CVE-2024-9620MedOct 8, 2024
    risk 0.34cvss 5.3epss 0.00

    A flaw was found in Event-Driven Automation (EDA) in Ansible Automation Platform (AAP), which lacks encryption of sensitive information. An attacker with network access could exploit this vulnerability by sniffing the plaintext data transmitted between the EDA and AAP. An…