CWE-311— Missing Encryption of Sensitive Data
536 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-311page 1 of 11
- CVE-2007-4961HIGHCVSS 7.5EG 7.52007-09-18
The login_to_simulator method in Linden Lab Second Life, as used by the secondlife:// protocol handler and possibly other Second Life login mechanisms, sends an MD5 hash in cleartext in the passwd field, which allows remote attackers to lo…
- CVE-2010-3292MEDIUMCVSS 5.5EG 5.52019-11-12
The update{_bad,}_phishing_sites scripts in mailscanner 4.79.11-2 downloads files and trusts them without using encryption (e.g., https) or digital signature checking which could allow an attacker to replace certain configuration files (e.…
- CVE-2010-3299MEDIUMCVSS 6.5EG 6.52019-11-12
The encrypt/decrypt functions in Ruby on Rails 2.3 are vulnerable to padding oracle attacks.
- CVE-2011-3355HIGHCVSS 7.3EG 7.32019-11-25
evolution-data-server3 3.0.3 through 3.2.1 used insecure (non-SSL) connection when attempting to store sent email messages into the Sent folder, when the Sent folder was located on the remote server. An attacker could use this flaw to obta…
- CVE-2012-1977NONECVSS 0.0EG 0.02012-05-09
WellinTech KingSCADA 3.0 uses a cleartext base64 format for storage of passwords in user.db, which allows context-dependent attackers to obtain sensitive information by reading this file.
- CVE-2012-5474MEDIUMCVSS 5.5EG 5.52019-12-30
The file /etc/openstack-dashboard/local_settings within Red Hat OpenStack Platform 2.0 and RHOS Essex Release (python-django-horizon package before 2012.1.1) is world readable and exposes the secret key value.
- CVE-2014-2379NONECVSS 0.0EG 0.02014-09-05
Sensys Networks VSN240-F and VSN240-T sensors VDS before 2.10.1 and TrafficDOT before 2.10.3 do not use encryption, which allows remote attackers to interfere with traffic control by replaying transmissions on a wireless network.
- CVE-2014-6274HIGHCVSS 7.5EG 7.52025-06-26
git-annex had a bug in the S3 and Glacier remotes where if embedcreds=yes was set, and the remote used encryption=pubkey or encryption=hybrid, the embedded AWS credentials were stored in the git repository in (effectively) plaintext, not e…
- CVE-2015-0558MEDIUMCVSS 5.3EG 5.32020-01-14
The ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with firmware PDG_TEF_SP_4.06L.6, and possibly other routers, uses "1236790" and the MAC address to generate the WPA key.
- CVE-2015-3207MEDIUMCVSS 5.3EG 5.32022-07-07
In Openshift Origin 3 the cookies being set in console have no 'secure', 'HttpOnly' attributes.
- CVE-2016-10552HIGHCVSS 7.4EG 7.42018-05-31
igniteui 0.0.5 and earlier downloads JavaScript and CSS resources over insecure protocol.
- CVE-2016-10557HIGHCVSS 8.1EG 8.12018-05-31
appium-chromedriver is a Node.js wrapper around Chromedriver. Versions below 2.9.4 download binary resources over HTTP, which leaves the module vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping…
- CVE-2016-10558HIGHCVSS 8.1EG 8.12018-05-29
aerospike is an Aerospike add-on module for Node.js. aerospike versions below 2.4.2 download binary resources over HTTP, which leaves the module vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swappin…
- CVE-2016-10559HIGHCVSS 8.1EG 8.12018-05-29
selenium-download downloads the latest versions of the selenium standalone server and the chromedriver. selenium-download before 2.0.7 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to …
- CVE-2016-10560HIGHCVSS 8.1EG 8.12018-05-31
galenframework-cli is the node wrapper for the Galen Framework. galenframework-cli below 2.3.1 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swap…
- CVE-2016-10562HIGHCVSS 8.1EG 8.12018-05-31
iedriver is an NPM wrapper for Selenium IEDriver. iedriver versions below 3.0.0 download binary resources over HTTP, which leaves the module vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping ou…
- CVE-2016-10563HIGHCVSS 8.1EG 8.12018-05-31
During the installation process, the go-ipfs-deps module before 0.4.4 insecurely downloads resources over HTTP. This allows for a MITM attack to compromise the integrity of the resources used by this module and could allow for further comp…
- CVE-2016-10564HIGHCVSS 8.1EG 8.12018-05-31
apk-parser is a tool to extract Android Manifest info from an APK file. apk-parser versions below 0.1.6 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE…
- CVE-2016-10565HIGHCVSS 8.1EG 8.12018-05-31
operadriver is a Opera Driver for Selenium. operadriver versions below 0.2.3 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the reque…
- CVE-2016-10566HIGHCVSS 8.1EG 8.12018-05-29
install-nw is a module which quickly and robustly installs and caches NW.js. install-nw versions below 1.1.5 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution…
- CVE-2016-10567HIGHCVSS 8.1EG 8.12018-05-29
product-monitor is a HTML/JavaScript template for monitoring a product by encouraging product developers to gather all the information about the status of a product, including live monitoring, statistics, endpoints, and test results into o…
- CVE-2016-10568HIGHCVSS 8.1EG 8.12018-05-29
geoip-lite-country is a stripped down version of geoip-lite, supporting only country lookup. geoip-lite-country before 1.1.4 downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.
- CVE-2016-10569HIGHCVSS 8.1EG 8.12018-05-31
embedza is a module to create HTML snippets/embeds from URLs using info from oEmbed, Open Graph, meta tags. embedza versions below 1.2.4 download JavaScript resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possibl…
- CVE-2016-10570HIGHCVSS 8.1EG 8.12018-05-29
pngcrush-installer is an installer for Pngcrush. pngcrush-installer versions below 1.8.10 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping …
- CVE-2016-10571HIGHCVSS 8.1EG 8.12018-05-31
bkjs-wand is imagemagick wand support for node.js and backendjs bkjs-wand versions lower than 0.3.2 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by…
- CVE-2016-10572HIGHCVSS 8.1EG 8.12018-05-31
mongodb-instance before 0.0.3 installs mongodb locally. mongodb-instance downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requeste…
- CVE-2016-10573HIGHCVSS 8.1EG 8.12018-05-29
baryton-saxophone is a module to install and launch Selenium Server for Mac, Linux and Windows. baryton-saxophone versions below 3.0.1 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to c…
- CVE-2016-10574HIGHCVSS 8.1EG 8.12018-06-01
apk-parser3 is a module to extract Android Manifest info from an APK file. apk-parser3 versions before 0.1.3 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution…
- CVE-2016-10575HIGHCVSS 8.1EG 8.12018-06-01
Kindlegen is a simple Node.js wrapper of the official kindlegen program. Kindlegen versions before 1.1.0 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RC…
- CVE-2016-10576HIGHCVSS 8.1EG 8.12018-06-01
Fuseki server wrapper and management API in fuseki before 1.0.1 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resourc…
- CVE-2016-10577HIGHCVSS 8.1EG 8.12018-05-29
ibm_db is an asynchronous/synchronous interface for node.js to IBM DB2 and IBM Informix. ibm_db before 1.0.2 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code executio…
- CVE-2016-10578HIGHCVSS 8.1EG 8.12018-05-29
unicode loads unicode data downloaded from unicode.org into nodejs. Unicode before 9.0.0 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks.
- CVE-2016-10579HIGHCVSS 8.1EG 8.12018-06-01
Chromedriver is an NPM wrapper for selenium ChromeDriver. Chromedriver before 2.26.1 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out …
- CVE-2016-10580HIGHCVSS 8.1EG 8.12018-06-01
nodewebkit is an installer for node-webkit. nodewebkit downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an…
- CVE-2016-10581HIGHCVSS 8.1EG 8.12018-06-01
Steroids is PhoneGap on Steroids, providing native UI elements, multiple WebViews and enhancements for better developer productivity. steroids downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be poss…
- CVE-2016-10582HIGHCVSS 8.1EG 8.12018-06-01
closurecompiler is a Closure Compiler for node.js. closurecompiler downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested bina…
- CVE-2016-10583HIGHCVSS 8.1EG 8.12018-06-01
closure-utils is Utilities for Closure Library based projects. closure-utils downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requ…
- CVE-2016-10584HIGHCVSS 8.1EG 8.12018-05-29
dalek-browser-chrome-canary provides Google Chrome bindings for DalekJS. dalek-browser-chrome-canary downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) …
- CVE-2016-10585HIGHCVSS 8.1EG 8.12018-06-01
libxl provides Node bindings for the libxl library for reading and writing excel (XLS and XLSX) spreadsheets. libxl downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code e…
- CVE-2016-10586HIGHCVSS 8.1EG 8.12018-05-29
macaca-chromedriver is a Node.js wrapper for the selenium chromedriver. macaca-chromedriver before 1.0.29 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (…
- CVE-2016-10587HIGHCVSS 8.1EG 8.12018-06-01
wasdk is a toolkit for creating WebAssembly modules. wasdk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with …
- CVE-2016-10588HIGHCVSS 8.1EG 8.12018-06-01
nw is an installer for nw.js. nw downloads zipped resources over HTTP, It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled binary if the attacker is on the network or p…
- CVE-2016-10589HIGHCVSS 8.1EG 8.12018-05-29
selenium-binaries downloads Selenium related binaries for your OS. selenium-binaries downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out …
- CVE-2016-10590HIGHCVSS 8.1EG 8.12018-05-29
cue-sdk-node is a Corsair Cue SDK wrapper for node.js. cue-sdk-node downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested zip…
- CVE-2016-10591HIGHCVSS 8.1EG 8.12018-05-29
Prince is a Node API for executing XML/HTML to PDF renderer PrinceXML via prince(1) CLI. prince downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by sw…
- CVE-2016-10592HIGHCVSS 8.1EG 8.12018-06-01
jser-stat is a JSer.info stat library. jser-stat downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.
- CVE-2016-10593HIGHCVSS 8.1EG 8.12018-05-29
ibapi is an Interactive Brokers API addon for NodeJS. ibapi downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. Before 2.5.6, it may be possible to cause remote code execution (RCE) by swapping out the request…
- CVE-2016-10594HIGHCVSS 8.1EG 5.92018-06-01
ipip is a Node.js module to query geolocation information for an IP or domain, based on database by ipip.net. ipip downloads data resources over HTTP, which leaves it vulnerable to MITM attacks.
- CVE-2016-10595HIGHCVSS 8.1EG 8.12018-06-01
jdf-sass is a fork from node-sass, jdf use only. jdf-sass downloads executable resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested file with…
- CVE-2016-10596HIGHCVSS 8.1EG 8.12018-06-01
imageoptim is a Node.js wrapper for some images compression algorithms. imageoptim downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out th…
Map vulnerabilities like CWE-311 to your infrastructure
EchelonGraph correlates every CVE — across CWE-311 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →