Total
496 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-22405 | 2 Ibm, Linux | 2 Aspera Faspex, Linux Kernel | 2024-11-21 | 5.9 Medium |
| IBM Aspera Faspex 5.0.5 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 222576. | ||||
| CVE-2022-22401 | 2 Ibm, Linux | 2 Aspera Faspex, Linux Kernel | 2024-11-21 | 5.9 Medium |
| IBM Aspera Faspex 5.0.5 could allow a remote attacker to gather or persuade a naive user to supply sensitive information. IBM X-Force ID: 222567. | ||||
| CVE-2022-22386 | 3 Apple, Ibm, Microsoft | 3 Macos, Security Verify Privilege On-premises, Windows | 2024-11-21 | 5.3 Medium |
| IBM Security Verify Privilege On-Premises 11.5 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 221963. | ||||
| CVE-2022-22377 | 3 Apple, Ibm, Microsoft | 3 Macos, Security Verify Privilege On-premises, Windows | 2024-11-21 | 5.3 Medium |
| IBM Security Verify Privilege On-Premises 11.5 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 221827. | ||||
| CVE-2022-0183 | 1 Kingjim | 4 Mirupass Pw10, Mirupass Pw10 Firmware, Mirupass Pw20 and 1 more | 2024-11-21 | 4.6 Medium |
| Missing encryption of sensitive data vulnerability in 'MIRUPASS' PW10 firmware all versions and 'MIRUPASS' PW20 firmware all versions allows an attacker who can physically access the device to obtain the stored passwords. | ||||
| CVE-2021-41302 | 1 Ecoa | 5 Ecs Router Controller-ecs, Ecs Router Controller-ecs Firmware, Riskbuster and 2 more | 2024-11-21 | 7.3 High |
| ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely query user password and obtain user’s privilege. | ||||
| CVE-2021-40650 | 1 Softwareag | 1 Connx | 2024-11-21 | 6.5 Medium |
| In Connx Version 6.2.0.1269 (20210623), a cookie can be issued by the application and not have the secure flag set. | ||||
| CVE-2021-40642 | 1 Textpattern | 1 Textpattern | 2024-11-21 | 4.3 Medium |
| Textpattern CMS v4.8.7 and older vulnerability exists through Sensitive Cookie in HTTPS Session Without 'Secure' Attribute via textpattern/lib/txplib_misc.php. The secure flag is not set for txp_login session cookie in the application. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. | ||||
| CVE-2021-40366 | 1 Siemens | 2 Climatix Pol909, Climatix Pol909 Firmware | 2024-11-21 | 7.4 High |
| A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.42), Climatix POL909 (AWM module) (All versions < V11.34). The web server of affected devices transmits data without TLS encryption. This could allow an unauthenticated remote attacker in a man-in-the-middle position to read sensitive data, such as administrator credentials, or modify data in transit. | ||||
| CVE-2021-3882 | 1 Ledgersmb | 1 Ledgersmb | 2024-11-21 | 6.8 Medium |
| LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. By tricking a user to use an unencrypted connection (HTTP), an attacker may be able to obtain the authentication data by capturing network traffic. LedgerSMB 1.8 and newer switched from Basic authentication to using cookie authentication with encrypted cookies. Although an attacker can't access the information inside the cookie, nor the password of the user, possession of the cookie is enough to access the application as the user from which the cookie has been obtained. In order for the attacker to obtain the cookie, first of all the server must be configured to respond to unencrypted requests, the attacker must be suitably positioned to eavesdrop on the network traffic between the client and the server *and* the user must be tricked into using unencrypted HTTP traffic. Proper audit control and separation of duties limit Integrity impact of the attack vector. Users of LedgerSMB 1.8 are urged to upgrade to known-fixed versions. Users of LedgerSMB 1.7 or 1.9 are unaffected by this vulnerability and don't need to take action. As a workaround, users may configure their Apache or Nginx reverse proxy to add the Secure attribute at the network boundary instead of relying on LedgerSMB. For Apache, please refer to the 'Header always edit' configuration command in the mod_headers module. For Nginx, please refer to the 'proxy_cookie_flags' configuration command. | ||||
| CVE-2021-38977 | 3 Ibm, Linux, Microsoft | 5 Aix, Security Guardium Key Lifecycle Manager, Security Key Lifecycle Manager and 2 more | 2024-11-21 | 4.3 Medium |
| IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 212782. | ||||
| CVE-2021-37189 | 1 Digi | 12 Transport Wr11, Transport Wr11 Firmware, Transport Wr11 Xt and 9 more | 2024-11-21 | 7.5 High |
| An issue was discovered on Digi TransPort Gateway devices through 5.2.13.4. They do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in cleartext over an HTTP session. | ||||
| CVE-2021-37050 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2024-11-21 | 7.5 High |
| There is a Missing sensitive data encryption vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2021-36189 | 1 Fortinet | 1 Forticlient Enterprise Management Server | 2024-11-21 | 6.8 Medium |
| A missing encryption of sensitive data in Fortinet FortiClientEMS version 7.0.1 and below, version 6.4.4 and below allows attacker to information disclosure via inspecting browser decrypted data | ||||
| CVE-2021-35236 | 1 Solarwinds | 1 Kiwi Syslog Server | 2024-11-21 | 3.1 Low |
| The Secure flag is not set in the SSL Cookie of Kiwi Syslog Server 9.7.2 and previous versions. The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP, there is a potential for the cookie can be sent in clear text. | ||||
| CVE-2021-33900 | 1 Apache | 1 Directory Studio | 2024-11-21 | 7.5 High |
| While investigating DIRSTUDIO-1219 it was noticed that configured StartTLS encryption was not applied when any SASL authentication mechanism (DIGEST-MD5, GSSAPI) was used. While investigating DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality layer was not applied. This issue affects Apache Directory Studio version 2.0.0.v20210213-M16 and prior versions. | ||||
| CVE-2021-32001 | 1 Suse | 2 Rancher K3s, Rancher Rke2 | 2024-11-21 | 6.5 Medium |
| K3s in SUSE Rancher allows any user with direct access to the datastore, or a copy of a datastore backup, to extract the cluster's confidential keying material (cluster certificate authority private keys, secrets encryption configuration passphrase, etc.) and decrypt it, without having to know the token value. This issue affects: SUSE Rancher K3s version v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1 and prior versions; RKE2 version v1.19.12+rke2r1, v1.20.8+rke2r1, v1.21.2+rke2r1 and prior versions. | ||||
| CVE-2021-31386 | 1 Juniper | 1 Junos | 2024-11-21 | 5.3 Medium |
| A Protection Mechanism Failure vulnerability in the J-Web HTTP service of Juniper Networks Junos OS allows a remote unauthenticated attacker to perform Person-in-the-Middle (PitM) attacks against the device. This issue affects: Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S20; 15.1 versions prior to 15.1R7-S11; 18.3 versions prior to 18.3R3-S6; 18.4 versions prior to 18.4R3-S10; 19.1 versions prior to 19.1R3-S7; 19.2 versions prior to 19.2R3-S4; 19.3 versions prior to 19.3R3-S4; 19.4 versions prior to 19.4R3-S6; 20.1 versions prior to 20.1R3-S2; 20.2 versions prior to 20.2R3-S3; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R3; 21.2 versions prior to 21.2R2. | ||||
| CVE-2021-29883 | 1 Ibm | 1 Transformation Extender Advanced | 2024-11-21 | 4.3 Medium |
| IBM Standards Processing Engine (IBM Transformation Extender Advanced 9.0 and 10.0) does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 207090. | ||||
| CVE-2021-29248 | 1 Btcpayserver | 1 Btcpay Server | 2024-11-21 | 5.3 Medium |
| BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the Secure flag for a cookie. | ||||