180 matches found
CVE-2021-32612
The CVE-2021-32612 entry concerns the VeryFitPro Android app (package com.veryfit2hr.second, version 3.2.8). The connected sources confirm that the app performs all communication with the backend API over cleartext HTTP, including login, registration, and password-change requests. Root cause stat...
CVE-2021-3003
Agenzia delle Entrate Desktop Telematico 1.0.0 contacts the jws.agenziaentrate.it server over cleartext HTTP, which allows man-in-the-middle attackers to spoof product updates...
Design/Logic Flaw
Agenzia delle Entrate Desktop Telematico 1.0.0 contacts the jws.agenziaentrate.it server over cleartext HTTP, which allows man-in-the-middle attackers to spoof product updates...
CVE-2021-27574
An issue was discovered in Emote Remote Mouse through 4.0.0.0. It uses cleartext HTTP to check, and request, updates. Thus, attackers can machine-in-the-middle a victim to download a malicious binary in place of the real update, with no SSL errors or warnings...
CVE-2021-27574
An issue was discovered in Emote Remote Mouse through 4.0.0.0. It uses cleartext HTTP to check, and request, updates. Thus, attackers can machine-in-the-middle a victim to download a malicious binary in place of the real update, with no SSL errors or warnings...
Design/Logic Flaw
An issue was discovered in Emote Remote Mouse through 4.0.0.0. It uses cleartext HTTP to check, and request, updates. Thus, attackers can machine-in-the-middle a victim to download a malicious binary in place of the real update, with no SSL errors or warnings...
CVE-2021-27574
The CVE-2021-27574 issue affects Emote Remote Mouse up to version 4.0.0.0, where the update mechanism uses cleartext HTTP to check and fetch updates. This design enables a man-in-the-middle attacker to replace a legitimate update with a malicious binary without triggering SSL errors or warnings. ...
CVE-2021-27574
An issue was discovered in Emote Remote Mouse through 4.0.0.0. It uses cleartext HTTP to check, and request, updates. Thus, attackers can machine-in-the-middle a victim to download a malicious binary in place of the real update, with no SSL errors or warnings...
Ubuntu 18.04 LTS / 20.04 LTS : Unbound vulnerabilities (USN-4938-1)
The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4938-1 advisory. It was discovered that Unbound contained multiple security issues. A remote attacker could possibly use these issues to cause a denial of...
CVE-2019-25031
Unbound before 1.9.5 allows configuration injection in createunboundadservers.sh upon a successful man-in-the-middle attack against a cleartext HTTP session. NOTE: The vendor does not consider this a vulnerability of the Unbound software. createunboundadservers.sh is a contributed script from the...
UBUNTU-CVE-2019-25031
Unbound before 1.9.5 allows configuration injection in createunboundadservers.sh upon a successful man-in-the-middle attack against a cleartext HTTP session. NOTE: The vendor does not consider this a vulnerability of the Unbound software. createunboundadservers.sh is a contributed script from the...
CVE-2021-27209
In the management interface on TP-Link Archer C5v 1.7181221 devices, credentials are sent in a base64 format over cleartext HTTP...
CVE-2020-11718
An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and below. Its software-update packages are downloaded via cleartext HTTP...
Design/Logic Flaw
An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and below. Its software-update packages are downloaded via cleartext HTTP...
CVE-2020-11718
CVE-2020-11718 affects Programi Bilanc build 007 release 014 (and earlier). The issue is that software-update packages are downloaded via cleartext HTTP, exposing update delivery to eavesdropping or tampering. NVD attributes a CVSS‑2 base score of 5.8 (PARTIAL confidentiality and integrity impact...
CVE-2020-11718
An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and below. Its software-update packages are downloaded via cleartext HTTP...
H2Csmuggler - HTTP Request Smuggling Over HTTP/2 Cleartext (H2C)
h2cSmuggler smuggles HTTP traffic past insecure edge-server proxypass configurations by establishing HTTP/2 cleartext h2c communications with h2c-compatible back-end servers, allowing a bypass of proxy rules and access controls. See my detailed write-up below for: Technical breakdown of the...
CVE-2020-11614
Mids' Reborn Hero Designer 2.6.0.7 downloads the update manifest, as well as update files, over cleartext HTTP. Additionally, the application does not perform file integrity validation for files after download. An attacker can perform a man-in-the-middle attack against this connection and replace...
CVE-2020-11614
Mids' Reborn Hero Designer 2.6.0.7 downloads the update manifest, as well as update files, over cleartext HTTP. Additionally, the application does not perform file integrity validation for files after download. An attacker can perform a man-in-the-middle attack against this connection and replace...
CVE-2020-11614
The CVE-2020-11614 entry concerns Mids’ Reborn Hero Designer 2.6.0.7. The vulnerability arises because the application downloads the update manifest and update files over cleartext HTTP and does not perform file integrity validation after download. This enables a man-in-the-middle attacker to rep...