| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Incorrect Use of Privileged APIs, Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in Sechard Information Technologies SecHard allows Authentication Bypass, Interface Manipulation, Authentication Abuse, Harvesting Information via API Event Monitoring.
This issue affects SecHard: before 3.3.0.20220411. |
| Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, demonstrating an inconsistent implementation of TLS. |
| A cleartext transmission of sensitive information vulnerability in Synology Note Station Client before 2.2.4-703 allows man-in-the-middle attackers to obtain user credential. |
| Cleartext Transmission of Sensitive Information, Use of Hard-coded Credentials vulnerability in Ataturk University ATA-AOF Mobile Application allows Authentication Abuse, Authentication Bypass.
This issue affects ATA-AOF Mobile Application: before 20.06.2025. |
| Cleartext Transmission of Sensitive Information vulnerability in Dolusoft Omaspot allows Interception, Privilege Escalation.
This issue affects Omaspot: before 12.09.2025. |
| An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.
`django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Kasper Dupont for reporting this issue. |
| Cleartext Transmission of Sensitive Information vulnerability in Pan Software & Information Technologies Ltd. PanCafe Pro allows Flooding.
This issue affects PanCafe Pro: from < 3.3.2 through 23092025. |
| Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding. The firmware contains no TLS implementation, allowing man-in-the-middle interception of DDNS service credentials. |
| This vulnerability exists in GX Earth ONT models due to the transmission of user credentials in plaintext over HTTP in its web management interface. A remote attacker could exploit this vulnerability by intercepting network traffic to obtain sensitive authentication information, which could lead to unauthorized access to the targeted device. |
| TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization.
An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization.
An attacker
within the Bluetooth range could exploit this behavior using Bluetooth sniffing
or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth
communication, manipulate transmitted setup data and potentially gain
unauthorized control of the device during initialization.
D100C is the
chime delivered with your Tapo camera, and it is delivered with the following
Tapo products:
D130, D210, D235,
D225, TD21, TDB21 and TD25 |
| Proxy server in Graph Explorer before 3.0.1 falls back to HTTP when certificate files are missing, which might allow remote threat actors to obtain sensitive information via interception of requests intended to be sent over HTTPS.
To remediate this issue, users should upgrade to Graph Explorer v3.0.1 or later. |
| A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation. |
| Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP. |
| Omron CX-One CX-Programmer before 9.6, CJ2M PLC devices before 2.1, and CJ2H PLC devices before 1.5 rely on cleartext password transmission, which allows remote attackers to obtain sensitive information by sniffing the network during a PLC unlock request. |
| Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s web control interface. Older Orca heat pump devices communicating with the Orca server over an
unencrypted and unauthenticated HTTP connection on a non-secure port specifically enable an
attacker to impersonate a legitimate device and inject malicious
payloads. This enables the insertion of harmful code directly
into the Orca user portal, potentially compromising user accounts,
exposing sensitive information, and allowing further unauthorized
actions within the portal. |
| CodexBar prior to 0.32.0 contains a session cookie leakage vulnerability that allows network attackers to intercept imported browser session cookies by exploiting improper redirect handling for Amp and Ollama provider sessions. Attackers can position themselves on the network path to receive cleartext HTTP requests carrying imported session cookies when a provider-controlled redirect target issues a redirect to a cleartext HTTP endpoint within the same provider domain. |
| Cleartext Transmission of Sensitive Information in the SICK ICR890-4 could allow a
remote attacker to gather sensitive information by intercepting network traffic that is not encrypted. |
| A CWE-319: Cleartext transmission of sensitive information vulnerability exists in PowerLogic ION7400, ION7650, ION7700/73xx, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause disclosure of user credentials when a malicious actor intercepts Telnet network traffic between a user and the device. |
| The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set. |
| A CWE-319: Cleartext Transmission of Sensitive Information vulnerability exists which could leak sensitive information transmitted between the software and the Modicon M218, M241, M251, and M258 controllers. |
