Total
1277 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2010-4533 | 2 Debian, Offlineimap | 2 Debian Linux, Offlineimap | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
offlineimap before 6.3.4 added support for SSL server certificate validation but it is still possible to use SSL v2 protocol, which is a flawed protocol with multiple security deficiencies.
|
|||||
| CVE-2010-4532 | 2 Debian, Offlineimap | 2 Debian Linux, Offlineimap | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
offlineimap before 6.3.2 does not check for SSL server certificate validation when "ssl = yes" option is specified which can allow man-in-the-middle attacks.
|
|||||
| CVE-2010-4237 | 1 Mercurial | 1 Mercurial | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
Mercurial before 1.6.4 fails to verify the Common Name field of SSL certificates which allows remote attackers who acquire a certificate signed by a Certificate Authority to perform a man-in-the-middle attack.
|
|||||
| CVE-2009-4123 | 1 Jruby | 1 Jruby-openssl | 2024-11-21 | N/A | 7.5 HIGH |
|
The jruby-openssl gem before 0.6 for JRuby mishandles SSL certificate validation.
|
|||||
| CVE-2009-3552 | 1 Redhat | 1 Enterprise Virtualization Manager | 2024-11-21 | 2.9 LOW | 3.1 LOW |
|
In RHEV-M VDC 2.2.0, it was found that the SSL certificate was not verified when using the client-side Red Hat Enterprise Virtualization Manager interface (a Windows Presentation Foundation (WPF) XAML browser application) to connect to the Red Hat Enterprise Virtualization Manager. An attacker on the local network could use this flaw to conduct a man-in-the-middle attack, tricking the user into thinking they are viewing the Red Hat Enterprise Virtualization Manager when the content is actually a ...
Show More |
|||||
| CVE-2007-5967 | 1 Mozilla | 1 Firefox | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
A flaw in Mozilla's embedded certificate code might allow web sites to install root certificates on devices without user approval.
|
|||||
| CVE-2006-7246 | 3 Gnome, Opensuse, Suse | 4 Networkmanager, Opensuse, Linux Enterprise Desktop and 1 more | 2024-11-21 | 3.2 LOW | 6.8 MEDIUM |
|
NetworkManager 0.9.x does not pin a certificate's subject to an ESSID when 802.11X authentication is used.
|
|||||
| CVE-2024-8285 | 1 Redhat | 1 Kroxylicious | 2024-11-13 | N/A | 5.9 MEDIUM |
|
A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, ...
Show More |
|||||
| CVE-2024-51774 | 1 Qbittorrent | 1 Qbittorrent | 2024-11-06 | N/A | 8.1 HIGH |
|
qBittorrent before 5.0.1 proceeds with use of https URLs even after certificate validation errors.
|
|||||
| CVE-2024-31955 | 2024-10-30 | N/A | 4.9 MEDIUM | ||
|
An issue was discovered in Samsung eMMC with KLMAG2GE4A and KLM8G1WEMB firmware. Code bypass through Electromagnetic Fault Injection allows an attacker to successfully authenticate and write to the RPMB (Replay Protected Memory Block) area without possessing secret information.
|
|||||
| CVE-2024-39771 | 1 Safie | 4 Qbic Cloud Cc-2\/2l, Qbic Cloud Cc-2\/2l Firmware, Safie One and 1 more | 2024-10-28 | N/A | 6.8 MEDIUM |
|
QBiC CLOUD CC-2L v1.1.30 and earlier and Safie One v1.8.2 and earlier do not properly validate certificates, which may allow a network-adjacent unauthenticated attacker to obtain and/or alter communications of the affected product via a man-in-the-middle attack.
|
|||||
| CVE-2024-43177 | 1 Ibm | 1 Concert | 2024-10-25 | N/A | 9.8 CRITICAL |
|
IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute.
|
|||||
| CVE-2023-49567 | 1 Bitdefender | 1 Total Security | 2024-10-22 | N/A | 6.8 MEDIUM |
|
A vulnerability has been identified in the Bitdefender Total Security HTTPS scanning functionality where the product incorrectly checks the site's certificate, which allows an attacker to make MITM SSL connections to an arbitrary site. The product trusts certificates that are issued using the MD5 and SHA1 collision hash functions which allow attackers to create rogue certificates that appear legitimate.
|
|||||
| CVE-2023-6055 | 1 Bitdefender | 1 Total Security | 2024-10-22 | N/A | 7.4 HIGH |
|
A vulnerability has been identified in Bitdefender Total Security HTTPS scanning functionality where the software fails to properly validate website certificates. Specifically, if a site certificate lacks the "Server Authentication" specification in the Extended Key Usage extension, the product does not verify the certificate's compliance with the site, deeming such certificates as valid. This flaw could allow an attacker to perform a Man-in-the-Middle (MITM) attack, intercepting and potentially ...
Show More |
|||||
| CVE-2023-6056 | 1 Bitdefender | 1 Total Security | 2024-10-22 | N/A | 7.4 HIGH |
|
A vulnerability has been discovered in Bitdefender Total Security HTTPS scanning functionality that results in the improper trust of self-signed certificates. The product is found to trust certificates signed with the RIPEMD-160 hashing algorithm without proper validation, allowing an attacker to establish MITM SSL connections to arbitrary sites.
|
|||||
| CVE-2023-49570 | 1 Bitdefender | 1 Total Security | 2024-10-22 | N/A | 7.4 HIGH |
|
A vulnerability has been identified in Bitdefender Total Security HTTPS scanning functionality where the software trusts a certificate issued by an entity that isn't authorized to issue certificates. This occurs when the "Basic Constraints" extension in the certificate indicates that it is meant to be an "End Entity”. This flaw could allow an attacker to perform a Man-in-the-Middle (MITM) attack, intercepting and potentially altering communications between the user and the website.
|
|||||
| CVE-2023-6058 | 1 Bitdefender | 1 Total Security | 2024-10-22 | N/A | 6.8 MEDIUM |
|
A vulnerability has been identified in Bitdefender Safepay's handling of HTTPS connections. The issue arises when the product blocks a connection due to an untrusted server certificate but allows the user to add the site to exceptions, resulting in the product trusting the certificate for subsequent HTTPS scans. This vulnerability allows an attacker to perform a Man-in-the-Middle (MITM) attack by using a self-signed certificate, which the product will trust after the site has been added to excep ...
Show More |
|||||
| CVE-2024-43550 | 1 Microsoft | 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more | 2024-10-17 | N/A | 7.4 HIGH |
|
Windows Secure Channel Spoofing Vulnerability
|
|||||
| CVE-2024-22030 | 2024-10-16 | N/A | 8.0 HIGH | ||
|
A vulnerability has been identified within Rancher that can be exploited
in narrow circumstances through a man-in-the-middle (MITM) attack. An
attacker would need to have control of an expired domain or execute a
DNS spoofing/hijacking attack against the domain to exploit this
vulnerability. The targeted domain is the one used as the Rancher URL.
|
|||||
| CVE-2024-7206 | 2024-10-10 | N/A | N/A | ||
|
SSL Pinning Bypass in eWeLink Some hardware products allows local ATTACKER to Decrypt TLS communication and Extract secrets to clone the device via Flash the modified firmware
|
|||||
| CVE-2024-20385 | 1 Cisco | 1 Nexus Dashboard Orchestrator | 2024-10-08 | N/A | 5.9 MEDIUM |
|
A vulnerability in the SSL/TLS implementation of Cisco Nexus Dashboard Orchestrator (NDO) could allow an unauthenticated, remote attacker to intercept sensitive information from an affected device.
This vulnerability exists because the Cisco NDO Validate Peer Certificate site management feature validates the certificates for Cisco Application Policy Infrastructure Controller (APIC), Cisco Cloud Network Controller (CNC), and Cisco Nexus Dashboard only when a new site is added or an exist ...
Show More |
|||||
| CVE-2024-38324 | 1 Ibm | 1 Storage Defender | 2024-09-30 | N/A | 6.5 MEDIUM |
|
IBM Storage Defender 2.0.0 through 2.0.7 on-prem defender-sensor-cmd CLI does not validate server name during registration and unregistration operations which could expose sensitive information to an attacker with access to the system.
|
|||||
| CVE-2024-9160 | 2024-09-30 | N/A | N/A | ||
|
In versions of the PEADM Forge Module prior to 3.24.0 a security misconfiguration was discovered.
|
|||||
| CVE-2022-45856 | 1 Fortinet | 1 Forticlient | 2024-09-26 | N/A | 5.9 MEDIUM |
|
An improper certificate validation vulnerability [CWE-295] in FortiClientWindows 6.4 all versions, 7.0.0 through 7.0.7, FortiClientMac 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientLinux 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientAndroid 6.4 all versions, 7.0 all versions, 7.2.0 and FortiClientiOS 5.6 all versions, 6.0.0 through 6.0.1, 7.0.0 through 7.0.6 SAML SSO feature may allow an unauthenticated attacker to man-in-the-middle the communication b ...
Show More |
|||||
| CVE-2024-7383 | 2024-09-25 | N/A | 7.4 HIGH | ||
|
A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic.
|
|||||
| CVE-2024-8287 | 1 Canonical | 1 Anbox Cloud | 2024-09-24 | N/A | 7.5 HIGH |
|
Anbox Management Service, in versions 1.17.0 through 1.23.0, does not validate the TLS certificate provided to it by the Anbox Stream Agent. An attacker must be able to machine-in-the-middle the Anbox Stream Agent from within an internal network before they can attempt to take advantage of this.
|
|||||
| CVE-2024-31489 | 1 Fortinet | 1 Forticlient | 2024-09-20 | N/A | 8.1 HIGH |
|
AAn improper certificate validation vulnerability [CWE-295] in FortiClientWindows 7.2.0 through 7.2.2, 7.0.0 through 7.0.11, FortiClientLinux 7.2.0, 7.0.0 through 7.0.11 and FortiClientMac 7.0.0 through 7.0.11, 7.2.0 through 7.2.4 may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the FortiGate and the FortiClient during the ZTNA tunnel creation
|
|||||
| CVE-2024-38642 | 1 Qnap | 1 Qumagie | 2024-09-16 | N/A | 7.8 HIGH |
|
An improper certificate validation vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow local network users to compromise the security of the system via unspecified vectors.
We have already fixed the vulnerability in the following version:
QuMagie 2.3.1 and later
|
|||||
| CVE-2023-50315 | 1 Ibm | 1 Websphere Application Server | 2024-09-11 | N/A | 5.9 MEDIUM |
|
IBM WebSphere Application Server 8.5 and 9.0 could allow an attacker with access to the network to conduct spoofing attacks. An attacker could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information. IBM X-Force ID: 274714.
|
|||||
| CVE-2024-7570 | 1 Ivanti | 1 Neurons For Itsm | 2024-09-06 | N/A | 8.1 HIGH |
|
Improper certificate validation in Ivanti ITSM on-prem and Neurons for ITSM Versions 2023.4 and earlier allows a remote attacker in a MITM position to craft a token that would allow access to ITSM as any user.
|
|||||
| CVE-2024-41996 | 2024-08-26 | N/A | 7.5 HIGH | ||
|
Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.
|
|||||
| CVE-2023-50314 | 1 Ibm | 1 Websphere Application Server | 2024-08-23 | N/A | 7.5 HIGH |
|
IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.8 could allow an attacker with access to the network to conduct spoofing attacks. An attacker could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information. IBM X-Force ID: 274713.
|
|||||
| CVE-2024-37311 | 2024-08-23 | N/A | 8.2 HIGH | ||
|
Collabora Online is a collaborative online office suite based on LibreOffice. In affected versions of Collabora Online, https connections from coolwsd to other hosts may incompletely verify the remote host's certificate's against the full chain of trust. This vulnerability is fixed in Collabora Online 24.04.4.3, 23.05.14.1, and 22.05.23.1.
|
|||||
| CVE-2024-41264 | 1 Casbin | 1 Casdoor | 2024-08-16 | N/A | 7.5 HIGH |
|
An issue discovered in casdoor v1.636.0 allows attackers to obtain sensitive information via the ssh.InsecureIgnoreHostKey() method.
|
|||||
| CVE-2024-40464 | 1 Beego | 1 Beego | 2024-08-15 | N/A | 8.8 HIGH |
|
An issue in beego v.2.2.0 and before allows a remote attacker to escalate privileges via the sendMail function located in beego/core/logs/smtp.go file
|
|||||
| CVE-2024-42395 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2024-08-12 | N/A | 9.8 CRITICAL |
|
There is a vulnerability in the AP Certificate Management Service which could allow a threat actor to execute an unauthenticated RCE attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.
|
|||||
| CVE-2024-32865 | 1 Johnsoncontrols | 1 Exacqvision Server | 2024-08-09 | N/A | 7.3 HIGH |
|
Under certain circumstances the exacqVision Server will not properly validate TLS certificates provided by connected devices.
|
|||||