CWE-523 · Unprotected Transport of Credentials
21 CVEs classified under CWE-523 (Unprotected Transport of Credentials). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-57800 | High | 8.8 | 2025-08-22 | Audiobookshelf is an open-source self-hosted audiobook server. In versions 2.6.0 through 2.26.3, the application does not properly restrict redirect callback U… |
CVE-2017-16731 | High | 8.8 | 2017-12-20 | An Unprotected Transport of Credentials issue was discovered in ABB Ellipse 8.3 through Ellipse 8.9 released prior to December 2017 (including Ellipse Select)… |
CVE-2025-64309 | High | 8.6 | 2025-11-14 | Brightpick Mission Control discloses device telemetry, configuration, and credential information via WebSocket traffic to unauthenticated users when they con… |
CVE-2021-32003 | High | 8.0 | 2021-08-05 | Unprotected Transport of Credentials vulnerability in SiteManager provisioning service allows local attacker to capture credentials if the service is used afte… |
CVE-2025-61916 | High | 7.9 | 2026-01-05 | Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request… |
CVE-2025-66029 | High | 7.6 | 2025-12-17 | Open OnDemand provides remote web access to supercomputers. In versions 4.0.8 and prior, the Apache proxy allows sensitive headers to be passed to origin serve… |
CVE-2025-64308 | High | 7.5 | 2025-11-14 | The Brightpick Mission Control web application exposes hardcoded credentials in its client-side JavaScript bundle. |
CVE-2023-31277 | High | 7.5 | 2023-07-06 | PiiGAB M-Bus transmits credentials in plaintext format. |
CVE-2022-31805 | High | 7.5 | 2022-06-24 | In the CODESYS Development System multiple components in multiple versions transmit the passwords for the communication between clients and servers unprotected. |
CVE-2021-38460 | High | 7.5 | 2021-10-12 | A path traversal vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to create or overwrite critical files… |
CVE-2025-41705 | Medium | 6.8 | 2025-10-14 | An unauthenticated remote attacker (MITM) can intercept the websocket messages to gain access to the login credentials for the Webfrontend. |
CVE-2026-23635 | Medium | 6.5 | 2026-03-25 | Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, a misconfiguration of the security attributes could potential… |
CVE-2024-1102 | Medium | 6.5 | 2024-04-25 | A vulnerability was found in jberet-core logging. An exception in 'dbProperties' might display user credentials such as the username and password for the datab… |
CVE-2024-20395 | Medium | 6.4 | 2024-07-17 | A vulnerability in the media retrieval functionality of Cisco Webex App could allow an unauthenticated, adjacent attacker to gain access to sensitive session i… |
CVE-2026-36610 | Medium | 5.9 | 2026-06-03 | Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding. The firmware contains no TLS… |
CVE-2026-8673 | Medium | 5.9 | 2026-05-22 | Unprotected transport of credentials vulnerability in syslink software AG Avantra on Linux, Windows allows Sniffing Attacks. This issue affects Avantra: befor… |
CVE-2023-22862 | Medium | 5.9 | 2023-06-04 | IBM Aspera Connect 4.2.5 and IBM Aspera Cargo 4.2.5 transmits authentication credentials, but it uses an insecure method that is susceptible to unauthorized in… |
CVE-2024-1509 | | 2025-02-28 | Brocade ASCG before 3.2.0 Web Interface is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the ser… | |
CVE-2024-4188 | | 2024-07-30 | Unprotected Transport of Credentials vulnerability in OpenText™ Documentum™ Server could allow Credential Stuffing.This issue affects Documentum™ Server: from… | |
CVE-2023-28708 | | 2023-03-22 | When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookie… |