| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-3907 |
326 |
|
|
2019-01-18 |
2019-01-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password). |
|
2 |
CVE-2018-19001 |
326 |
|
|
2018-12-07 |
2019-01-04 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Philips HealthSuite Health Android App, all versions. The software uses simple encryption that is not strong enough for the level of protection required. |
|
3 |
CVE-2018-17177 |
326 |
|
|
2018-09-18 |
2018-12-07 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered on Neato Botvac Connected 2.2.0 and Botvac 85 1.2.1 devices. Static encryption is used for the copying of so-called "black box" logs (event logs and core dumps) to a USB stick. These logs are RC4-encrypted with a 9-character password of *^JEd4W!I that is obfuscated by hiding it within a custom /bin/rc4_crypt binary. |
|
4 |
CVE-2018-15124 |
326 |
|
|
2018-08-13 |
2018-10-10 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device. |
|
5 |
CVE-2018-9028 |
326 |
|
|
2018-06-18 |
2018-08-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Weak cryptography used for passwords in CA Privileged Access Manager 2.x reduces the complexity for password cracking. |
|
6 |
CVE-2018-7242 |
326 |
|
|
2018-04-18 |
2018-12-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Vulnerable hash algorithms exists in Schneider Electric's Modicon Premium, Modicon Quantum, Modicon M340, and BMXNOR0200 controllers in all versions of the communication modules. The algorithm used to encrypt the password is vulnerable to hash collision attacks. |
|
7 |
CVE-2018-5461 |
326 |
|
+Info |
2018-03-06 |
2018-03-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
An Inadequate Encryption Strength issue was discovered in Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches. An inadequate encryption strength vulnerability in the web interface has been identified, which may allow an attacker to obtain sensitive information through a successful man-in-the-middle attack. |
|
8 |
CVE-2018-5298 |
326 |
|
|
2018-01-08 |
2018-01-31 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In the Procter & Gamble "Oral-B App" (aka com.pg.oralb.oralbapp) application 5.0.0 for Android, AES encryption with static parameters is used to secure the locally stored shared preferences. An attacker can gain access to locally stored user data more easily by leveraging access to the preferences XML file. |
|
9 |
CVE-2018-5184 |
326 |
|
|
2018-06-11 |
2018-11-25 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Using remote content in encrypted messages can lead to the disclosure of plaintext. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8. |
|
10 |
CVE-2018-1814 |
326 |
|
|
2018-12-13 |
2019-01-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 150018. |
|
11 |
CVE-2018-1785 |
326 |
|
|
2018-09-26 |
2018-11-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt sensitive information. IBM X-Force ID: 148870. |
|
12 |
CVE-2018-1751 |
326 |
|
|
2019-01-23 |
2019-01-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Key Lifecycle Manager 3.0 through 3.0.0.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 148512. |
|
13 |
CVE-2018-1665 |
326 |
|
|
2018-12-13 |
2019-01-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM DataPower Gateway 7.6.0.0 through 7.6.0.10, 7.5.2.0 through 7.5.2.17, 7.5.1.0 through 7.5.1.17, 7.5.0.0 through 7.5.0.18, and 7.7.0.0 through 7.7.1.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 144891. |
|
14 |
CVE-2018-1648 |
326 |
|
|
2018-12-05 |
2018-12-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM QRadar SIEM 7.2 and 7.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 144653. |
|
15 |
CVE-2018-1593 |
326 |
|
|
2018-10-02 |
2018-11-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
IBM Multi-Cloud Data Encryption (MDE) 2.1 could allow an unauthorized user to manipulate data due to missing file checksums. IBM X-Force ID: 143568. |
|
16 |
CVE-2018-1545 |
326 |
|
|
2018-09-26 |
2018-11-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 142649. |
|
17 |
CVE-2018-1518 |
326 |
|
+Info |
2018-10-18 |
2018-12-12 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM InfoSphere Information Server 11.7 is affected by a weak password encryption vulnerability that could allow a local user to obtain highly sensitive information. IBM X-Force ID: 141682. |
|
18 |
CVE-2018-1466 |
326 |
|
|
2018-05-17 |
2018-06-15 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.6.1, 7.7, 7.7.1, 7.8, 7.8.1, 8.1, and 8.1.1) use weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 140397. |
|
19 |
CVE-2018-1425 |
326 |
|
|
2018-02-27 |
2018-03-16 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM Security Guardium Big Data Intelligence (SonarG) 3.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 139003. |
|
20 |
CVE-2018-0448 |
326 |
|
Bypass |
2018-10-05 |
2019-01-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A vulnerability in the identity management service of Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to bypass authentication and take complete control of identity management functions. The vulnerability is due to insufficient security restrictions for critical management functions. An attacker could exploit this vulnerability by sending a valid identity management request to the affected system. An exploit could allow the attacker to view and make unauthorized modifications to existing system users as well as create new users. |
|
21 |
CVE-2018-0131 |
326 |
|
|
2018-08-14 |
2018-10-22 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
A vulnerability in the implementation of RSA-encrypted nonces in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to obtain the encrypted nonces of an Internet Key Exchange Version 1 (IKEv1) session. The vulnerability exists because the affected software responds incorrectly to decryption failures. An attacker could exploit this vulnerability sending crafted ciphertexts to a device configured with IKEv1 that uses RSA-encrypted nonces. A successful exploit could allow the attacker to obtain the encrypted nonces. Cisco Bug IDs: CSCve77140. |
|
22 |
CVE-2017-1000486 |
326 |
|
Exec Code |
2018-01-03 |
2018-01-24 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution |
|
23 |
CVE-2017-17543 |
326 |
|
|
2018-04-26 |
2018-06-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Users' VPN authentication credentials are unsafely encrypted in Fortinet FortiClient for Windows 5.6.0 and below versions, FortiClient for Mac OSX 5.6.0 and below versions and FortiClient SSLVPN Client for Linux 4.4.2335 and below versions, due to the use of a static encryption key and weak encryption algorithms. |
|
24 |
CVE-2017-17436 |
326 |
|
|
2017-12-06 |
2017-12-22 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in the software on Vaultek Gun Safe VT20i products. There is no encryption of the session between the Android application and the safe. The website and marketing materials advertise that this communication channel is encrypted with "Highest Level Bluetooth Encryption" and "Data transmissions are secure via AES256 bit encryption." These claims, however, are not true. Moreover, AES256 bit encryption is not supported in the Bluetooth Low Energy (BLE) standard, so it would have to be at the application level. This lack of encryption allows an individual to learn the passcode by eavesdropping on the communications between the application and the safe. |
|
25 |
CVE-2017-16726 |
326 |
|
|
2018-06-27 |
2018-08-31 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
Beckhoff TwinCAT supports communication over ADS. ADS is a protocol for industrial automation in protected environments. ADS has not been designed to achieve security purposes and therefore does not include any encryption algorithms because of their negative effect on performance and throughput. An attacker can forge arbitrary ADS packets when legitimate ADS traffic is observable. |
|
26 |
CVE-2017-14797 |
326 |
|
Bypass |
2017-09-30 |
2017-11-20 |
7.9 |
None |
Local Network |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Lack of Transport Encryption in the public API in Philips Hue Bridge BSB002 SW 1707040932 allows remote attackers to read API keys (and consequently bypass the pushlink protection mechanism, and obtain complete control of the connected accessories) by leveraging the ability to sniff HTTP traffic on the local intranet network. |
|
27 |
CVE-2017-14090 |
326 |
|
|
2017-12-15 |
2017-12-26 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
A vulnerability in Trend Micro ScanMail for Exchange 12.0 exists in which some communications to the update servers are not encrypted. |
|
28 |
CVE-2017-13699 |
326 |
|
|
2017-11-23 |
2018-11-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. The password encryption method can be retrieved from the firmware. This encryption method is based on a chall value that is sent in cleartext as a POST parameter. An attacker could reverse the password encryption algorithm to retrieve it. |
|
29 |
CVE-2017-12871 |
326 |
|
Bypass |
2017-09-01 |
2017-09-05 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.x through 1.14.11 makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging use of the first 16 bytes of the secret key as the initialization vector (IV). |
|
30 |
CVE-2017-11317 |
326 |
|
Exec Code |
2017-08-23 |
2018-10-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code. |
|
31 |
CVE-2017-9645 |
326 |
|
|
2017-09-20 |
2017-10-05 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
An Inadequate Encryption Strength issue was discovered in Mirion Technologies DMC 3000 Transmitter Module, iPam Transmitter f/DMC 2000, RDS-31 iTX and variants (including RSD31-AM Package), DRM-1/2 and variants (including Solar PWR Package), DRM and RDS Based Boundary Monitors, External Transmitters, Telepole II, and MESH Repeater (Telemetry Enabled Devices). Decryption of data is possible at the hardware level. |
|
32 |
CVE-2017-9635 |
326 |
|
|
2018-05-18 |
2018-06-27 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
Schneider Electric Ampla MES 6.4 provides capability to configure users and their privileges. When Ampla MES users are configured to use Simple Security, a weakness in the password hashing algorithm could be exploited to reverse the user's password. Schneider Electric recommends that users of Ampla MES versions 6.4 and prior should upgrade to Ampla MES version 6.5 as soon as possible. |
|
33 |
CVE-2017-8174 |
326 |
|
+Info |
2017-11-22 |
2017-12-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Huawei USG6300 V100R001C30SPC300 and USG6600 with software of V100R001C30SPC500,V100R001C30SPC600,V100R001C30SPC700,V100R001C30SPC800 have a weak algorithm vulnerability. Attackers may exploit the weak algorithm vulnerability to crack the cipher text and cause confidential information leaks on the transmission links. |
|
34 |
CVE-2017-8076 |
326 |
|
|
2017-04-23 |
2017-04-27 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
On the TP-Link TL-SG108E 1.0, admin network communications are RC4 encoded, even though RC4 is deprecated. This affects the 1.1.2 Build 20141017 Rel.50749 firmware. |
|
35 |
CVE-2017-7903 |
326 |
|
|
2017-06-29 |
2017-07-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A Weak Password Requirements issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions; 1763-L16BWA, Series A and B, Version 16.00 and prior versions; and 1763-L16DWD, Series A and B, Version 16.00 and prior versions and Allen-Bradley MicroLogix 1400 programmable logic controllers 1766-L32AWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWAA, Series A and B, Version 16.00 and prior versions; 1766-L32BXB, Series A and B, Version 16.00 and prior versions; 1766-L32BXBA, Series A and B, Version 16.00 and prior versions; and 1766-L32AWAA, Series A and B, Version 16.00 and prior versions. The affected products use a numeric password with a small maximum character size for the password. |
|
36 |
CVE-2017-7888 |
326 |
|
|
2017-05-10 |
2017-05-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier. |
|
37 |
CVE-2017-7229 |
326 |
|
DoS |
2017-05-03 |
2017-05-16 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
PGP/MIME encrypted messages injected into a Vaultive O365 (before 4.5.21) frontend via IMAP or SMTP have their Content-Type changed from 'Content-Type: multipart/encrypted; protocol="application/pgp-encrypted"; boundary="abc123abc123"' to 'Content-Type: text/plain' - this results in the encrypted message being structured in such a way that most PGP/MIME-capable mail user agents are unable to decrypt it cleanly. The outcome is that encrypted mail passing through this device does not work (Denial of Service), and a common real-world consequence is a request to resend the mail in the clear (Information Disclosure). |
|
38 |
CVE-2017-6284 |
326 |
|
|
2018-03-06 |
2018-03-27 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
NVIDIA Security Engine contains a vulnerability in the Deterministic Random Bit Generator (DRBG) where the DRBG does not properly initialize and store or transmits sensitive data using a weakened encryption scheme that is unable to protect sensitive data which may lead to information disclosure.This issue is rated as moderate. |
|
39 |
CVE-2017-5999 |
326 |
|
|
2017-03-06 |
2017-03-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in sysPass 2.x before 2.1, in which an algorithm was never sufficiently reviewed by cryptographers. The fact that inc/SP/Core/Crypt.class is using the MCRYPT_RIJNDAEL_256() function (the 256-bit block version of Rijndael, not AES) instead of MCRYPT_RIJNDAEL_128 (real AES) could help an attacker to create unknown havoc in the remote system. |
|
40 |
CVE-2017-5535 |
326 |
|
|
2018-05-01 |
2018-06-13 |
4.3 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
None |
|
The GridServer Broker, GridServer Driver, and GridServer Engine components of TIBCO Software Inc. TIBCO DataSynapse GridServer Manager contain vulnerabilities related to both the improper use of encryption mechanisms and the use of weak ciphers. A malicious actor could theoretically compromise the traffic between any of the components. Affected releases include TIBCO Software Inc.'s TIBCO DataSynapse GridServer Manager: versions up to and including 5.1.3; 6.0.0; 6.0.1; 6.0.2; 6.1.0; 6.1.1; and 6.2.0. |
|
41 |
CVE-2017-5239 |
326 |
|
|
2017-03-27 |
2017-03-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Due to a lack of standard encryption when transmitting sensitive information over the internet to a centralized monitoring service, the Eview EV-07S GPS Tracker discloses personally identifying information, such as GPS data and IMEI numbers, to any man-in-the-middle (MitM) listener. |
|
42 |
CVE-2017-5160 |
326 |
|
|
2017-04-20 |
2017-04-26 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
An Inadequate Encryption Strength issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. The software will connect via Transport Layer Security without verifying the peer's SSL certificate properly. |
|
43 |
CVE-2017-2598 |
326 |
|
|
2018-05-23 |
2018-06-26 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304). |
|
44 |
CVE-2017-2391 |
326 |
|
Bypass |
2017-04-01 |
2017-07-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. Pages before 6.1, Numbers before 4.1, and Keynote before 7.1 on macOS and Pages before 3.1, Numbers before 3.1, and Keynote before 3.1 on iOS are affected. The issue involves the "Export" component. It allows users to bypass iWork PDF password protection by leveraging use of 40-bit RC4. |
|
45 |
CVE-2017-2380 |
326 |
|
Bypass |
2017-04-01 |
2017-06-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the Simple Certificate Enrollment Protocol (SCEP) implementation in the "Profiles" component. It allows remote attackers to bypass cryptographic protection mechanisms by leveraging DES support. |
|
46 |
CVE-2017-1701 |
326 |
|
+Info |
2018-04-23 |
2018-05-23 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Team Concert (RTC) 5.0, 5.0.1, 5.0.2, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, and 6.0.5 stores credentials for users using a weak encryption algorithm, which could allow an authenticated user to obtain highly sensitive information. IBM X-Force ID: 134393. |
|
47 |
CVE-2017-1665 |
326 |
|
|
2018-01-04 |
2018-08-05 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 133559. |
|
48 |
CVE-2017-1664 |
326 |
|
|
2018-01-04 |
2018-01-12 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 133557. |
|
49 |
CVE-2017-1473 |
326 |
|
|
2018-04-23 |
2018-05-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Access Manager Appliance 8.0.0 through 8.0.1.6 and 9.0.0 through 9.0.3.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 128605. |
|
50 |
CVE-2017-1375 |
326 |
|
|
2017-10-24 |
2017-11-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM System Storage Storwize V7000 Unified (V7000U) 1.5 and 1.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 126868. |
