Total
798 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-4509 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2025-07-02 | 4.3 Medium |
| It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt. | ||||
| CVE-2024-6972 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2025-07-02 | 6.5 Medium |
| In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text. | ||||
| CVE-2024-41927 | 1 Idec | 182 Ft1a-b12ra, Ft1a-b12ra Firmware, Ft1a-b24ra and 179 more | 2025-07-02 | 4.6 Medium |
| Cleartext transmission of sensitive information vulnerability exists in multiple IDEC PLCs. If an attacker sends a specific command to PLC's serial communication port, user credentials may be obtained. As a result, the program of the PLC may be obtained, and the PLC may be manipulated. | ||||
| CVE-2025-4227 | 2 Palo Alto Networks, Paloaltonetworks | 2 Globalprotect App, Globalprotect | 2025-06-27 | 3.5 Low |
| An improper access control vulnerability in the Endpoint Traffic Policy Enforcement https://docs.paloaltonetworks.com/globalprotect/6-0/globalprotect-app-new-features/new-features-released-in-gp-app/endpoint-traffic-policy-enforcement feature of the Palo Alto Networks GlobalProtectâ„¢ app allows certain packets to remain unencrypted instead of being properly secured within the tunnel. An attacker with physical access to the network can inject rogue devices to intercept these packets. Under normal operating conditions, the GlobalProtect app automatically recovers from this interception within one minute. | ||||
| CVE-2024-10718 | 1 Phpipam | 1 Phpipam | 2025-06-27 | 7.5 High |
| In phpipam/phpipam version 1.5.1, the Secure attribute for sensitive cookies in HTTPS sessions is not set. This could cause the user agent to send those cookies in plaintext over an HTTP session, potentially exposing sensitive information. The issue is fixed in version 1.7.0. | ||||
| CVE-2024-45361 | 2 Mi, Xiaomi | 2 Xiaomi, Mi Connect Service | 2025-06-27 | 6.5 Medium |
| A protocol flaw vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to leak sensitive user information. | ||||
| CVE-2025-4378 | 2025-06-26 | 10 Critical | ||
| Cleartext Transmission of Sensitive Information, Use of Hard-coded Credentials vulnerability in Ataturk University ATA-AOF Mobile Application allows Authentication Abuse, Authentication Bypass.This issue affects ATA-AOF Mobile Application: before 20.06.2025. | ||||
| CVE-2025-5087 | 2025-06-26 | N/A | ||
| Kaleris NAVIS N4 ULC (Ultra Light Client) communicates insecurely using zlib-compressed data over HTTP. An attacker capable of observing network traffic between Ultra Light Clients and N4 servers can extract sensitive information, including plaintext credentials. | ||||
| CVE-2025-27622 | 1 Jenkins | 1 Jenkins | 2025-06-24 | 4.3 Medium |
| Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets. | ||||
| CVE-2025-43704 | 1 Veritas | 1 Data Insight | 2025-06-23 | 4.7 Medium |
| Arctera/Veritas Data Insight before 7.1.2 can send cleartext credentials when configured to use HTTP Basic Authentication to a Dell Isilon OneFS server. | ||||
| CVE-2023-46447 | 1 Popsdiabetes | 1 Rebel | 2025-06-20 | 4.3 Medium |
| The POPS! Rebel application 5.0 for Android, in POPS! Rebel Bluetooth Glucose Monitoring System, sends unencrypted glucose measurements over BLE. | ||||
| CVE-2023-42144 | 1 Shelly | 2 Trv, Trv Firmware | 2025-06-20 | 5.5 Medium |
| Cleartext Transmission during initial setup in Shelly TRV 20220811-15234 v.2.1.8 allows a local attacker to obtain the Wi-Fi password. | ||||
| CVE-2025-32881 | 1 Gotenna | 3 Gotenna, Mesh, Mesh Firmware | 2025-06-20 | 4.3 Medium |
| An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. By default, the GID is the user's phone number unless they specifically opt out. A phone number is very sensitive information because it can be tied back to individuals. The app does not encrypt the GID in messages. | ||||
| CVE-2025-32884 | 1 Gotenna | 3 Gotenna, Mesh, Mesh Firmware | 2025-06-20 | 4.3 Medium |
| An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. By default, a GID is the user's phone number unless they specifically opt out. A phone number is very sensitive information because it can be tied back to individuals. The app does not encrypt the GID in messages. | ||||
| CVE-2025-32887 | 1 Gotenna | 3 Gotenna, Mesh, Mesh Firmware | 2025-06-20 | 7.1 High |
| An issue was discovered on goTenna v1 devices with app 5.5.3 and firmware 0.25.5. A command channel includes the next hop. which can be intercepted and used to break frequency hopping. | ||||
| CVE-2022-47560 | 1 Ormazabal | 4 Ekorccp, Ekorccp Firmware, Ekorrci and 1 more | 2025-06-18 | 5.7 Medium |
| The lack of web request control on ekorCCP and ekorRCI devices allows a potential attacker to create custom requests to execute malicious actions when a user is logged in. | ||||
| CVE-2023-32328 | 1 Ibm | 1 Security Verify Access | 2025-06-17 | 7.5 High |
| IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure protocols in some instances that could allow an attacker on the network to take control of the server. IBM X-Force Id: 254957. | ||||
| CVE-2023-51741 | 1 Skyworthdigital | 2 Cm5100, Cm5100 Firmware | 2025-06-17 | 7.5 High |
| This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to transmission of authentication credentials in plaintext over the network. A remote attacker could exploit this vulnerability by eavesdropping on the victim’s network traffic to extract username and password from the web interface (Password Reset Page) of the vulnerable targeted system. | ||||
| CVE-2022-30312 | 1 Honeywell | 10 Trend Iq411, Trend Iq411 Firmware, Trend Iq412 and 7 more | 2025-06-17 | 6.5 Medium |
| The Trend Controls IC protocol through 2022-05-06 allows Cleartext Transmission of Sensitive Information. According to FSCT-2022-0050, there is a Trend Controls Inter-Controller (IC) protocol cleartext transmission of credentials issue. The affected components are characterized as: Inter-Controller (IC) protocol (57612/UDP). The potential impact is: Compromise of credentials. Several Trend Controls building automation controllers utilize the Inter-Controller (IC) protocol in for information exchange and automation purposes. This protocol offers authentication in the form of a 4-digit PIN in order to protect access to sensitive operations like strategy uploads and downloads as well as optional 0-30 character username and password protection for web page access protection. Both the PIN and usernames and passwords are transmitted in cleartext, allowing an attacker with passive interception capabilities to obtain these credentials. Credentials are transmitted in cleartext. An attacker who obtains Trend IC credentials can carry out sensitive engineering actions such as manipulating controller strategy or configuration settings. If the credentials in question are (re)used for other applications, their compromise could potentially facilitate lateral movement. | ||||
| CVE-2023-46889 | 1 Meross | 2 Msh30q, Msh30q Firmware | 2025-06-17 | 5.7 Medium |
| Meross MSH30Q 4.5.23 is vulnerable to Cleartext Transmission of Sensitive Information. During the device setup phase, the MSH30Q creates an unprotected Wi-Fi access point. In this phase, MSH30Q needs to connect to the Internet through a Wi-Fi router. This is why MSH30Q asks for the Wi-Fi network name (SSID) and the Wi-Fi network password. When the user enters the password, the transmission of the Wi-Fi password and name between the MSH30Q and mobile application is observed in the Wi-Fi network. Although the Wi-Fi password is encrypted, a part of the decryption algorithm is public so we complemented the missing parts to decrypt it. | ||||