CVEbaza.plSłownik CWECWE-311
Common Weakness Enumeration

CWE-311

Missing Encryption of Sensitive Data

Kategoria: ClassCVE: 554
Opis

Produkt nie szyfruje danych wrażliwych lub krytycznych przed ich przechowaniem lub przesyłaniem. Brak właściwego szyfrowania może prowadzić do nieautoryzowanego dostępu do poufnych informacji.

Description (EN)

The product does not encrypt sensitive or critical information before storage or transmission.

Podatności CVE z CWE-311 (554)
10.0
CVSS
CRITICAL
CVE-2023-6339

Krytyczna podatność w firmware Google Nest WiFi Pro umożliwia zdalne wykonanie kodu z uprawnieniami root oraz naruszenie poufności danych użytkowników. Ocena CVSS 10.0 wskazuje na maksymalne ryzyko – atakujący nie potrzebuje żadnych poświadczeń ani interakcji ofiary.

pub. 2024-01-02
9.8
CVSS
CRITICAL
CVE-2026-27944

W aplikacji Nginx UI przed wersją 2.3.3 endpoint /api/backup był dostępny bez uwierzytelnienia i ujawniał klucze szyfrowania w nagłówku odpowiedzi HTTP. Umożliwia to nieuwierzytelnionemu atakującemu pobranie i natychmiastowe odszyfrowanie pełnej kopii zapasowej systemu zawierającej dane wrażliwe.

pub. 2026-03-05
9.8
CVSS
CRITICAL
CVE-2023-4420

A remote unprivileged attacker can intercept the communication via e.g. Man-In-The-Middle, due to the absence of Transport Layer Security (TLS) in the SICK LMS5xx. This lack of encryption in the communication channel can lead to the unauthorized disclosure of sensitive information. The attacker can exploit this weakness to eavesdrop on the communication between the LMS5xx and the Client, and potentially manipulate the data being transmitted.

pub. 2023-08-24
9.8
CVSS
CRITICAL
CVE-2023-0750

Yellobrik PEC-1864 implements authentication checks via javascript in the frontend interface.  When the device can be accessed over the network an attacker could bypass authentication. This would allow an attacker to : - Change the password, resulting in a DOS of the users - Change the streaming source, compromising the integrity of the stream - Change the streaming destination, compromising the confidentiality of the stream This issue affects Yellowbrik: PEC 1864. No patch has been issued by the manufacturer as this model was discontinued.

pub. 2023-04-06
9.8
CVSS
CRITICAL
CVE-2020-15331

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded OAUTH_SECRET_KEY in /opt/axess/etc/default/axess.

pub. 2022-09-29
9.8
CVSS
CRITICAL
CVE-2019-14480

AdRem NetCrunch 10.6.0.4587 has an Improper Session Handling vulnerability in the NetCrunch web client, which can lead to an authentication bypass or escalation of privileges.

pub. 2020-12-16
9.8
CVSS
CRITICAL
CVE-2019-3431

All versions up to V4.01.01.02 of ZTE ZXCLOUD GoldenData VAP product have encryption problems vulnerability. Attackers could sniff unencrypted account and password through the network for front-end system access.

pub. 2019-12-23
9.8
CVSS
CRITICAL
CVE-2019-12924

MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user. It was possible for an attacker to use a vulnerability in the configuration of the XML processor to read any file on the host system. Because all credentials were stored in a cleartext file, it was possible to steal all users' credentials (including the highest privileged users).

pub. 2019-07-08
9.8
CVSS
CRITICAL
CVE-2018-10698

An issue was discovered on Moxa AWK-3121 1.14 devices. The device enables an unencrypted TELNET service by default. This allows an attacker who has been able to gain an MITM position to easily sniff the traffic between the device and the user. Also an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user.

pub. 2019-06-07
9.8
CVSS
CRITICAL
CVE-2019-11523

Anviz Global M3 Outdoor RFID Access Control executes any command received from any source. No authentication/encryption is done. Attackers can fully interact with the device: for example, send the "open door" command, download the users list (which includes RFID codes and passcodes in cleartext), or update/create users. The same attack can be executed on a local network and over the internet (if the device is exposed on a public IP address).

pub. 2019-06-06
9.8
CVSS
CRITICAL
CVE-2019-11367

An issue was discovered in AUO Solar Data Recorder before 1.3.0. The web portal uses HTTP Basic Authentication and provides the account and password in the WWW-Authenticate attribute. By using this account and password, anyone can login successfully.

pub. 2019-06-03
9.8
CVSS
CRITICAL
CVE-2019-6526

Moxa IKS-G6824A series Versions 4.5 and prior, EDS-405A series Version 3.8 and prior, EDS-408A series Version 3.8 and prior, and EDS-510A series Version 3.8 and prior use plaintext transmission of sensitive data, which may allow an attacker to capture sensitive data such as an administrative password.

pub. 2019-04-15
9.8
CVSS
CRITICAL
CVE-2018-10612

In 3S-Smart Software Solutions GmbH CODESYS Control V3 products prior to version 3.5.14.0, user access management and communication encryption is not enabled by default, which could allow an attacker access to the device and sensitive information, including user credentials.

pub. 2019-01-29
9.8
CVSS
CRITICAL
CVE-2018-16879

Ansible Tower before version 3.3.3 does not set a secure channel as it is using the default insecure configuration channel settings for messaging celery workers from RabbitMQ. This could lead in data leak of sensitive information such as passwords as well as denial of service attacks by deleting projects or inventory files.

pub. 2019-01-03
9.8
CVSS
CRITICAL
CVE-2018-20100

An issue was discovered on August Connect devices. Insecure data transfer between the August app and August Connect during configuration allows attackers to discover home Wi-Fi credentials. This data transfer uses an unencrypted access point for these credentials, and passes them in an HTTP POST, using the AugustWifiDevice class, with data encrypted with a fixed key found obfuscated in the app.

pub. 2019-01-02
9.8
CVSS
CRITICAL
CVE-2018-17915

All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server do not encrypt all device communication. This includes the XMeye service and firmware update communication. This could allow an attacker to eavesdrop on video feeds, steal XMeye login credentials, or impersonate the update server with malicious update code.

pub. 2018-10-10
9.8
CVSS
CRITICAL
CVE-2017-3198

GIGABYTE BRIX UEFI firmware does not cryptographically validate images prior to updating the system firmware. Additionally, the firmware updates are served over HTTP. An attacker can make arbitrary modifications to firmware images without being detected.

pub. 2018-07-09
9.8
CVSS
CRITICAL
CVE-2018-7498

In Philips Alice 6 System version R8.0.2 or prior, the lack of proper data encryption passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys.

pub. 2018-03-28
9.8
CVSS
CRITICAL
CVE-2017-9632

A Missing Encryption of Sensitive Data issue was discovered in PDQ Manufacturing LaserWash G5 and G5 S Series all versions, LaserWash M5, all versions, LaserWash 360 and 360 Plus, all versions, LaserWash AutoXpress and AutoExpress Plus, all versions, LaserJet, all versions, ProTouch Tandem, all versions, ProTouch ICON, all versions, and ProTouch AutoGloss, all versions. The username and password are transmitted insecurely.

pub. 2017-08-07
9.8
CVSS
CRITICAL
CVE-2017-9854

An issue was discovered in SMA Solar Technology products. By sniffing for specific packets on the localhost, plaintext passwords can be obtained as they are typed into Sunny Explorer by the user. These passwords can then be used to compromise the overall device. NOTE: the vendor reports that exploitation likelihood is low because these packets are usually sent only once during installation. Also, only Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30 could potentially be affected

pub. 2017-08-05
Pokazano 20 z 554 podatności
Informacje
ID: CWE-311
Typ: Class
Podatności: 554
MITRE CWE ↗
← Słownik CWE
CWE-311 — Brak szyfrowania danych wrażliwych | Słownik CWE | CVEbaza.pl