CWE-319— Cleartext Transmission of Sensitive Information
843 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-319page 11 of 17
- CVE-2023-0864HIGHCVSS 7.1EG 7.12023-05-17
Cleartext Transmission of Sensitive Information vulnerability in ABB Terra AC wallbox (UL40/80A), ABB Terra AC wallbox (UL32A), ABB Terra AC wallbox (CE) (Terra AC MID), ABB Terra AC wallbox (CE) Terra AC Juno CE, ABB Terra AC wallbox (CE)…
- CVE-2023-0922MEDIUMCVSS 5.9EG 5.92023-04-03
The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection.
- CVE-2023-1656HIGHCVSS 7.5EG 7.52023-03-29
Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenID…
- CVE-2023-1802MEDIUMCVSS 5.9EG 7.52023-04-06
In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed. A targeted network sniffing attack can lead to a disclosure of sensitive information. On…
- CVE-2023-1831HIGHCVSS 7.2EG 7.52023-04-17
Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config).
- CVE-2023-1899CRITICALCVSS 9.4EG 9.42023-06-12
Atlas Copco Power Focus 6000 web server is not a secure connection by default, which could allow an attacker to gain sensitive information by monitoring network traffic between user and controller.
- CVE-2023-21219HIGHCVSS 7.5EG 7.52023-06-28
there is a possible use of unencrypted transport over cellular networks due to an insecure default value. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for e…
- CVE-2023-21220HIGHCVSS 7.5EG 7.52023-06-28
there is a possible use of unencrypted transport over cellular networks due to an insecure default value. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for e…
- CVE-2023-22597MEDIUMCVSS 6.5EG 5.92023-01-12
InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-319: Cleartext Transmission of Sensitive Information. They use an unsecured channel to …
- CVE-2023-22806HIGHCVSS 7.5EG 7.52023-02-15
LS ELECTRIC XBC-DN32U with operating system version 01.80 transmits sensitive information in cleartext when communicating over its XGT protocol. This could allow an attacker to gain sensitive information such as user credentials.
- CVE-2023-22863MEDIUMCVSS 5.9EG 5.92023-01-18
IBM Robotic Process Automation 20.12.0 through 21.0.2 defaults to HTTP in some RPA commands when the prefix is not explicitly specified in the URL. This could allow an attacker to obtain sensitive information using man in the middle techn…
- CVE-2023-22870MEDIUMCVSS 5.9EG 5.92023-09-05
IBM Aspera Faspex 5.0.5 transmits sensitive information in cleartext which could be obtained by an attacker using man in the middle techniques. IBM X-Force ID: 244121.
- CVE-2023-23130MEDIUMCVSS 5.9EG 5.92023-02-01
Connectwise Automate 2022.11 is vulnerable to Cleartext authentication. Authentication is being done via HTTP (cleartext) with SSL disabled. OTE: the vendor's position is that, by design, this is controlled by a configuration option in whi…
- CVE-2023-23371MEDIUMCVSS 5.2EG 5.22023-10-06
A cleartext transmission of sensitive information vulnerability has been reported to affect QVPN Device Client. If exploited, the vulnerability could allow local authenticated administrators to read sensitive data via unspecified vectors. …
- CVE-2023-23841HIGHCVSS 7.5EG 7.52023-06-15
SolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request. Part of the URL of the request discloses sensitive data.
- CVE-2023-23914CRITICALCVSS 9.1EG 9.12023-02-23
A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead…
- CVE-2023-23915MEDIUMCVSS 6.5EG 6.52023-02-23
A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed …
- CVE-2023-24440MEDIUMCVSS 5.5EG 5.52023-01-26
Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier transmits the private key in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.
- CVE-2023-24547MEDIUMCVSS 5.9EG 5.92023-12-06
On affected platforms running Arista MOS, the configuration of a BGP password will cause the password to be logged in clear text that can be revealed in local logs or remote logging servers by authenticated users, as well as appear in clea…
- CVE-2023-25016HIGHCVSS 7.5EG 7.52023-02-06
Couchbase Server before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2 exposes Sensitive Information to an Unauthorized Actor.
- CVE-2023-25070MEDIUMCVSS 6.5EG 6.52023-05-10
Cleartext transmission of sensitive information exists in SkyBridge MB-A100/110 firmware Ver. 4.2.0 and earlier. If the telnet connection is enabled, a remote unauthenticated attacker may eavesdrop on or alter the administrator's communica…
- CVE-2023-25437HIGHCVSS 8.8EG 8.82023-04-27
An issue was discovered in vTech VCS754 version 1.1.1.A before 1.1.1.H, allows attackers to gain escalated privileges and gain sensitive information due to cleartext passwords passed in the raw HTML.
- CVE-2023-25848MEDIUMCVSS 5.3EG 5.32023-08-25
ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. The informatio…
- CVE-2023-27291MEDIUMCVSS 4.5EG 4.52024-03-03
IBM Watson CP4D Data Stores 4.6.0, 4.6.1, 4.6.2, and 4.6.3 does not encrypt sensitive or critical information before storage or transmission which could allow an attacker to obtain sensitive information. IBM X-Force ID: 248740.
- CVE-2023-2754HIGHCVSS 7.4EG 7.42023-08-03
The Cloudflare WARP client for Windows assigns loopback IPv4 addresses for the DNS Servers, since WARP acts as local DNS server that performs DNS queries in a secure manner, however, if a user is connected to WARP over an IPv6-capable netw…
- CVE-2023-27861MEDIUMCVSS 5.9EG 5.92023-06-05
IBM Maximo Application Suite - Manage Component 8.8.0 and 8.9.0 transmits sensitive information in cleartext that could be intercepted by an attacker using man in the middle techniques. IBM X-Force ID: 249208.
- CVE-2023-27927MEDIUMCVSS 6.5EG 6.52023-03-27
An authenticated malicious user could acquire the simple mail transfer protocol (SMTP) Password in cleartext format, despite it being protected and hidden behind asterisks. The attacker could then perform further attacks using the SMTP cre…
- CVE-2023-28348HIGHCVSS 7.4EG 7.42023-05-31
An issue was discovered in Faronics Insight 10.0.19045 on Windows. A suitably positioned attacker could perform a man-in-the-middle attack on either a connected student or teacher, enabling them to intercept student keystrokes or modify ex…
- CVE-2023-28616HIGHCVSS 7.5EG 7.52023-12-26
An issue was discovered in Stormshield Network Security (SNS) before 4.3.17, 4.4.x through 4.6.x before 4.6.4, and 4.7.x before 4.7.1. It affects user accounts for which the password has an equals sign or space character. The serverd proce…
- CVE-2023-29680MEDIUMCVSS 5.7EG 5.72023-05-01
Cleartext Transmission in set-cookie:ecos_pw: Tenda N301 v6.0, Firmware v12.02.01.61_multi allows an authenticated attacker on the LAN or WLAN to intercept communications with the router and obtain the password.
- CVE-2023-29681MEDIUMCVSS 5.7EG 5.72023-05-01
Cleartext Transmission in cookie:ecos_pw: in Tenda N301 v6.0, firmware v12.03.01.06_pt allows an authenticated attacker on the LAN or WLAN to intercept communications with the router and obtain the password.
- CVE-2023-3028HIGHCVSS 8.6EG 8.62023-06-01
Insufficient authentication in the MQTT backend (broker) allows an attacker to access and even manipulate the telemetry data of the entire fleet of vehicles using the HopeChart HQT-401 telematics unit. Other models are possibly affected to…
- CVE-2023-30354CRITICALCVSS 9.8EG 6.82023-05-10
Shenzen Tenda Technology IP Camera CP3 V11.10.00.2211041355 does not defend against physical access to U-Boot via the UART: the Wi-Fi password is shown, and the hardcoded boot password can be inserted for console access.
- CVE-2023-30513HIGHCVSS 7.5EG 7.52023-04-12
Jenkins Kubernetes Plugin 3909.v1f2c633e8590 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.
- CVE-2023-30514HIGHCVSS 7.5EG 7.52023-04-12
Jenkins Azure Key Vault Plugin 187.va_cd5fecd198a_ and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.
- CVE-2023-30515HIGHCVSS 7.5EG 4.32023-04-12
Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.
- CVE-2023-30565LOWCVSS 3.5EG 3.52023-07-13
An insecure connection between Systems Manager and CQI Reporter application could expose infusion data to an attacker.
- CVE-2023-30602HIGHCVSS 7.5EG 7.52023-06-02
Hitron Technologies CODA-5310’s Telnet function transfers sensitive data in plaintext. An unauthenticated remote attacker can exploit this vulnerability to access credentials of normal users and administrator.
- CVE-2023-30841MEDIUMCVSS 6.0EG 6.02023-04-26
Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as C…
- CVE-2023-31193HIGHCVSS 7.5EG 7.52023-05-22
Snap One OvrC Pro versions prior to 7.3 use HTTP connections when downloading a program from their servers. Because they do not use HTTPS, OvrC Pro devices are susceptible to exploitation.
- CVE-2023-31195MEDIUMCVSS 5.3EG 5.32023-06-13
ASUS Router RT-AX3000 Firmware versions prior to 3.0.0.4.388.23403 uses sensitive cookies without 'Secure' attribute. When an attacker is in a position to be able to mount a man-in-the-middle attack, and a user is tricked to log into the a…
- CVE-2023-31300HIGHCVSS 7.5EG 7.52023-12-29
An issue was discovered in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to obtain sensitive information via transmission of unencrypted, cleartext credentials during Password Reset feature.
- CVE-2023-31410CRITICALCVSS 9.8EG 9.82023-06-19
A remote unprivileged attacker can intercept the communication via e.g. Man-In-The-Middle, due to the absence of Transport Layer Security (TLS) in the SICK EventCam App. This lack of encryption in the communication channel can lead to the …
- CVE-2023-31823HIGHCVSS 7.5EG 7.52023-07-13
An issue found in Marui Co Marui Official app v.13.6.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp Marui Official Store function.
- CVE-2023-32290HIGHCVSS 7.5EG 7.52023-05-07
The myMail app through 14.30 for iOS sends cleartext credentials in a situation where STARTTLS is expected by a server.
- CVE-2023-32328HIGHCVSS 7.5EG 7.52024-02-07
IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure protocols in some instances that could allow an attacker on the network to take control of the server. IBM X-Force Id: 254957.
- CVE-2023-3272HIGHCVSS 7.5EG 7.52023-07-10
Cleartext Transmission of Sensitive Information in the SICK ICR890-4 could allow a remote attacker to gather sensitive information by intercepting network traffic that is not encrypted.
- CVE-2023-32784HIGHCVSS 7.5EG 7.52023-05-15
In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernat…
- CVE-2023-33187MEDIUMCVSS 5.4EG 5.42023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expe…
- CVE-2023-3361HIGHCVSS 7.7EG 7.72023-10-04
A flaw was found in Red Hat OpenShift Data Science. When exporting a pipeline from the Elyra notebook pipeline editor as Python DSL or YAML, it reads S3 credentials from the cluster (ds pipeline server) and saves them in plain text in the …
Map vulnerabilities like CWE-319 to your infrastructure
EchelonGraph correlates every CVE — across CWE-319 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →