| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The Web Server Plug-in in IBM WebSphere Application Server (WAS) 8.0 and earlier uses unencrypted HTTP communication after expiration of the plugin-key.kdb password, which allows remote attackers to obtain sensitive information by sniffing the network, or spoof arbitrary servers via a man-in-the-middle attack. |
| Cloudera Manager 3.7.x before 3.7.5 and Service and Configuration Manager 3.5, when Kerberos is not enabled, does not properly install taskcontroller.cfg, which allows remote authenticated users to impersonate arbitrary user accounts via unspecified vectors, a different vulnerability than CVE-2012-1574. |
| The Debian php_crypt_revamped.patch patch for PHP 5.3.x, as used in the php5 package before 5.3.3-7+squeeze4 in Debian GNU/Linux squeeze, the php5 package before 5.3.2-1ubuntu4.17 in Ubuntu 10.04 LTS, and the php5 package before 5.3.5-1ubuntu7.10 in Ubuntu 11.04, does not properly handle an empty salt string, which might allow remote attackers to bypass authentication by leveraging an application that relies on the PHP crypt function to choose a salt for password hashing. |
| Cisco AnyConnect Secure Mobility Client 3.0 before 3.0.08057 does not verify the certificate name in an X.509 certificate during WebLaunch of IPsec, which allows man-in-the-middle attackers to spoof servers via a crafted certificate, aka Bug ID CSCtz29470. |
| The default configuration of Cyberoam UTM appliances uses the same Certification Authority certificate and same private key across different customers' installations, which makes it easier for man-in-the-middle attackers to spoof SSL servers by leveraging the presence of the Cyberoam_SSL_CA certificate in a list of trusted root certification authorities. NOTE: the vendor disputes the significance of this issue because the appliance "does not allow import or export of the foresaid private key. |
| The Teiid Java Database Connectivity (JDBC) socket, as used in JBoss Enterprise Data Services Platform before 5.3.0, does not encrypt login messages by default contrary to documentation and specification, which allows remote attackers to obtain login credentials via a man-in-the-middle (MITM) attack. |
| The SPDY protocol 3 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack. |
| The CRC32C feature in the Btrfs implementation in the Linux kernel before 3.8-rc1 allows local users to cause a denial of service (prevention of file creation) by leveraging the ability to write to a directory important to the victim, and creating a file with a crafted name that is associated with a specific CRC32C hash value. |
| The client in FreeIPA 2.x and 3.x before 3.1.2 does not properly obtain the Certification Authority (CA) certificate from the server, which allows man-in-the-middle attackers to spoof a join procedure via a crafted certificate. |
| Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, does not ensure that the UI labels unencrypted messages as unencrypted, which might make it easier for remote attackers to spoof details of a message's origin or interfere with encryption-policy auditing via an e-mail message to a queue's address. |
| EMC RSA Authentication API before 8.1 SP1, RSA Web Agent before 5.3.5 for Apache Web Server, RSA Web Agent before 5.3.5 for IIS, RSA PAM Agent before 7.0, and RSA Agent before 6.1.4 for Microsoft Windows use an improper encryption algorithm and a weak key for maintaining the stored data of the node secret for the SecurID Authentication API, which allows local users to obtain sensitive information via cryptographic attacks on this data. |
| The TLS and DTLS implementations in wolfSSL CyaSSL before 2.5.0 do not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. |
| Kaspersky has fixed a security issue in Kaspersky Password Manager (KPM) for Windows that allowed a local user to recover the auto-filled credentials from a memory dump when the KPM extension for Google Chrome is used. To exploit the issue, an attacker must trick a user into visiting a login form of a website with the saved credentials, and the KPM extension must autofill these credentials. The attacker must then launch a malware module to steal those specific credentials. |
| In Esri Portal for ArcGIS versions 10.8.1, a system property is not properly encrypted. This may lead to a local user reading sensitive information from a properties file. |
|
IBM Robotic Process Automation 20.12 through 21.0.6 could allow an attacker with physical access to the system to obtain highly sensitive information from system memory. IBM X-Force ID: 238053.
|
|
Communication between the client and the server application of the affected products is partially done using CORBA (Common Object Request Broker Architecture) over TCP/IP. This protocol is not encrypted and allows tracing of internal messages.
This issue affects
* FOXMAN-UN product: FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C;
* UNEM product: UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C.
List of CPEs:
* cpe:2.3:a:hitachienergy:foxman-un:R15B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman-un:R15A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman-un:R14B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman-un:R14A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman-un:R11B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman-un:R11A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman-un:R10C:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman-un:R9C:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:unem:R15B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:unem:R15A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:unem:R14B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:unem:R14A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:unem:R11B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:unem:R11A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:unem:R10C:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:*
|
|
IBM Security Verify Governance 10.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 225232.
|
| Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions.
We recommend users to upgrade to MIME4j version 0.8.9 or later.
|
| Cleartext transmission of sensitive information issue exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. If exploited, a man-in-the-middle attack may allow a remote unauthenticated attacker to eavesdrop the communication and obtain the authentication information. |
| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository usememos/memos prior to 0.9.0. |
