| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| ** UNSUPPORTED WHEN ASSIGNED ** This vulnerability exists in D3D Security IP Camera D8801 due to usage of weak authentication scheme of the HTTP header protocol where authorization tag contain a Base-64 encoded username and password. A remote attacker could exploit this vulnerability by crafting a HTTP packet leading to exposure of user credentials of the targeted device. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. |
| The Kiuwan Local Analyzer (KLA) Java scanning application contains several
hard-coded secrets in plain text format. In some cases, this can
potentially compromise the confidentiality of the scan results. Several credentials were found in the JAR files of the Kiuwan Local Analyzer.
The
JAR file "lib.engine/insight/optimyth-insight.jar" contains the file
"InsightServicesConfig.properties", which has the configuration tokens
"insight.github.user" as well as "insight.github.password" prefilled
with credentials. At least the specified username corresponds to a valid
GitHub account. The
JAR file "lib.engine/insight/optimyth-insight.jar" also contains the
file "es/als/security/Encryptor.properties", in which the key used for
encrypting the results of any performed scan.
This issue affects Kiuwan SAST: <master.1808.p685.q13371 |
| Cleartext transmission of sensitive information for some BigDL software maintained by Intel(R) before version 2.5.0 may allow an authenticated user to potentially enable denial of service via adjacent access. |
| Emerson ValveLink Products store sensitive information in cleartext in memory. The
sensitive memory might be saved to disk, stored in a core dump, or
remain uncleared if the product crashes, or if the programmer does not
properly clear the memory before freeing it. |
| A protocol flaw vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to leak sensitive user information. |
| Coredump binaries in Toshiba printers have incorrect permissions. A local attacker can steal confidential information. As for the affected products/models/versions, see the reference URL. |
| The device uses an unencrypted, proprietary protocol for communication. Through this protocol, configuration data is transmitted and device authentication is performed. An attacker can thereby intercept the authentication hash and use it to log into the device using a pass-the-hash attack. |
| An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. When a new SD card is inserted into the dashcam, the existing password is written onto the SD card in cleartext automatically. An attacker with temporary access to the dashcam can switch the SD card to steal this password. |
| A sensitive information disclosure vulnerability in Palo Alto Networks Prisma® Browser allows a locally authenticated non-admin user to retrieve sensitive data from Prisma Browser.
Browser self-protection should be enabled to mitigate this issue. |
| An issue in MikroTik RouterOS v.7.14.2 and SwOS v.2.18 exposes the WebFig management interface over cleartext HTTP by default, allowing an on-path attacker to execute injected JavaScript in the administrator’s browser and intercept credentials. |
| General Industrial Controls Lynx+ Gateway is vulnerable to a cleartext transmission vulnerability that could allow
an attacker to observe network traffic to obtain sensitive information,
including plaintext credentials. |
| MicroServer copies parts of the system firmware to an unencrypted external SD card on boot, which contains user and vendor secrets. An attacker can utilize these plaintext secrets to modify the vendor firmware, or gain admin access to the web portal. |
| R Radio Network FM Transmitter 1.07 allows unauthenticated attackers to access the admin user's password through the system.cgi endpoint, enabling authentication bypass and FM station setup access. |
| Components of the YoSmart YoLink ecosystem through 2025-10-02 leverage unencrypted MQTT to communicate over the internet. An attacker with the ability to monitor network traffic could therefore obtain sensitive information or tamper with the traffic to control affected devices. This affects YoLink Hub 0382, YoLink Mobile Application 1.40.41, and YoLink MQTT Broker. NOTE: The vendor states that the vulnerability described (related to insecure transmission) only impacts the legacy mobile application logic, not the Hub hardware or firmware. The Hub functions solely as a pass-through (transparent gateway) for LoRa wireless data and does not inspect or process the application layer data. |
| An issue was discovered in the method push.lite.avtech.com.AvtechLib.GetHttpsResponse in AVTECH EagleEyes Lite 2.0.0, the GetHttpsResponse method transmits sensitive information - including internal server URLs, account IDs, passwords, and device tokens - as plaintext query parameters over HTTPS |
| NVIDIA Delegated Licensing Service for all appliance platforms contains a vulnerability where an User/Attacker may cause an authorized action. A successful exploit of this vulnerability may lead to information disclosure. |
| On affected platforms running Arista EOS with secure Vxlan configured, restarting the Tunnelsec agent will result in packets being sent over the secure Vxlan tunnels in the clear. |
| Aikaan IoT management platform v3.25.0325-5-g2e9c59796 sends a newly generated password to users in plaintext via email and also includes the same password as a query parameter in the account activation URL (e.g., https://domain.com/activate=xyz). This practice can result in password exposure via browser history, proxy logs, referrer headers, and email caching. The vulnerability impacts user credential confidentiality during initial onboarding. |
| A local, low-privileged attacker can learn the password of the connected controller in PLC Designer V4 due to an incorrect implementation that results in the password being displayed in plain text under special conditions. |
| An Information Disclosure vulnerability in the Telemetry component in TP-Link Kasa KP125M V1.0.0 and Tapo P125M 1.0.0 Build 220930 Rel.143947 allows attackers to observe device state via observing network traffic. |
