Search
Total
370 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-9577 | 1 Fcbl | 1 First Citizens Bank-mobile | 2018-10-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| The "First Citizens Bank-Mobile Banking" by First Citizens Bank (AL) app 3.0.0 -- aka first-citizens-bank-mobile-banking/id566037101 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2017-9572 | 1 Athensstatebank | 1 Athens State Bank Mobile | 2018-10-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| The athens-state-bank-mobile-banking/id719748589 app 3.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2017-9571 | 1 Ccbank | 1 Ccb Mobile Banking | 2018-10-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Citizens Community Bank (TN) ccb-mobile-banking/id610030469 app 3.0.1 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2017-9578 | 1 Rivervalleycommunitybank | 1 Rvcb Mobile | 2018-10-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| The "RVCB Mobile" by RVCB Mobile Banking app 3.0.0 -- aka rvcb-mobile/id757928895 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2017-9584 | 1 Heritagebankozarks | 1 Hbo Mobile Banking | 2018-10-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| The "HBO Mobile Banking" by Heritage Bank of Ozarks app 3.0.0 -- aka hbo-mobile-banking/id860224933 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2017-9601 | 1 Fnbkemp | 1 Fnb Kemp Mobile Banking | 2018-10-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| The "FNB Kemp Mobile Banking" by First National Bank of Kemp app 3.0.2 -- aka fnb-kemp-mobile-banking/id571448725 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2017-14612 | 1 Shpock | 1 Shpock | 2018-09-11 | 4.3 MEDIUM | 5.9 MEDIUM |
| "Shpock Boot Sale & Classifieds" app before 3.17.0 -- aka shpock-boot-sale-classifieds/id557153158 -- for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2018-10377 | 1 Portswigger | 1 Burp Suite | 2018-08-14 | 4.3 MEDIUM | 5.9 MEDIUM |
| PortSwigger Burp Suite before 1.7.34 has Improper Certificate Validation of the Collaborator server certificate, which might allow man-in-the-middle attackers to obtain interaction data. | |||||
| CVE-2018-12257 | 1 Apollotechnologiesinc | 2 Momentum Axel 720p, Momentum Axel 720p Firmware | 2018-08-02 | 2.1 LOW | 4.4 MEDIUM |
| An issue was discovered on Momentum Axel 720P 5.1.8 devices. There is Authenticated Custom Firmware Upgrade via DNS Hijacking. An authenticated root user with CLI access is able to remotely upgrade firmware to a custom image due to lack of SSL validation by changing the nameservers in /etc/resolv.conf to the attacker's server, and serving the expected HTTPS response containing new firmware for the device to download. | |||||
| CVE-2016-9064 | 1 Mozilla | 2 Firefox, Firefox Esr | 2018-08-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who could perform a man-in-the-middle attack on the user's connection to the update server and defeat the certificate pinning protection could provide a malicious signed add-on instead of a valid update. This vulnerability affects Firefox ESR < 45.5 and Firefox < 50. | |||||
| CVE-2018-0591 | 1 T-joy | 1 Kinepass | 2018-06-25 | 4.3 MEDIUM | 5.9 MEDIUM |
| The KINEPASS App for Android Ver 3.1.1 and earlier, and for iOS Ver 3.1.2 and earlier do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2018-8119 | 1 Microsoft | 3 C Software Development Kit, Csharp Software Development Kit, Java Software Development Kit | 2018-06-18 | 6.8 MEDIUM | 5.6 MEDIUM |
| A spoofing vulnerability exists when the Azure IoT Device Provisioning AMQP Transport library improperly validates certificates over the AMQP protocol, aka "Azure IoT SDK Spoofing Vulnerability." This affects C# SDK, C SDK, Java SDK. | |||||
| CVE-2017-6143 | 1 F5 | 2 Big-ip Advanced Firewall Manager, Big-ip Application Security Manager | 2018-05-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| X509 certificate verification was not correctly implemented in the IP Intelligence Subscription and IP Intelligence feed-list features, and thus the remote server's identity is not properly validated in F5 BIG-IP 12.0.0-12.1.2, 11.6.0-11.6.2, or 11.5.0-11.5.5. | |||||
| CVE-2018-1000151 | 1 Jenkins | 1 Vsphere | 2018-05-15 | 6.8 MEDIUM | 5.6 MEDIUM |
| A man in the middle vulnerability exists in Jenkins vSphere Plugin 2.16 and older in VSphere.java that disables SSL/TLS certificate validation by default. | |||||
| CVE-2017-13863 | 1 Apple | 1 Iphone Os | 2018-05-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "APNs" component. It allows man-in-the-middle attackers to track users by leveraging the transmission of client certificates. | |||||
| CVE-2018-4086 | 1 Apple | 4 Apple Tv, Iphone Os, Mac Os X and 1 more | 2018-05-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "Security" component. It allows remote attackers to spoof certificate validation via crafted name constraints. | |||||
| CVE-2015-4954 | 1 Ibm | 1 Bigfix Remote Control | 2018-04-23 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM BigFix Remote Control before Interim Fix pack 9.1.2-TIV-IBRC912-IF0001 improperly allows self-signed certificates, which might allow remote attackers to conduct spoofing attacks via unspecified vectors. IBM X-Force ID: 105200. | |||||
| CVE-2018-6219 | 1 Trendmicro | 1 Email Encryption Gateway | 2018-04-04 | 6.4 MEDIUM | 6.5 MEDIUM |
| An Insecure Update via HTTP vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to eavesdrop and tamper with certain types of update data. | |||||
| CVE-2018-0518 | 1 Linecorp | 1 Line | 2018-03-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| LINE for iOS version 7.1.3 to 7.1.5 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2012-6709 | 2 Elinks, Twibright | 2 Elinks, Links | 2018-03-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| ELinks 0.12 and Twibright Links 2.3 have Missing SSL Certificate Validation. | |||||
| CVE-2017-17455 | 1 Mahara | 1 Mahara | 2018-03-16 | 4.3 MEDIUM | 5.9 MEDIUM |
| Mahara 16.10 before 16.10.7, 17.04 before 17.04.5, and 17.10 before 17.10.2 are vulnerable to being forced, via a man-in-the-middle attack, to interact with Mahara on the HTTP protocol rather than HTTPS even when an SSL certificate is present. | |||||
| CVE-2017-9968 | 1 Schneider-electric | 1 Igss Mobile | 2018-03-09 | 4.3 MEDIUM | 5.9 MEDIUM |
| A security misconfiguration vulnerability exists in Schneider Electric's IGSS Mobile application versions 3.01 and prior in which a lack of certificate pinning during the TLS/SSL connection establishing process can result in a man-in-the-middle attack. | |||||
| CVE-2017-12721 | 1 Smiths-medical | 1 Medfusion 4000 Wireless Syringe Infusion Pump | 2018-03-02 | 4.3 MEDIUM | 5.9 MEDIUM |
| An Improper Certificate Validation issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. The pump does not validate host certificates, leaving the pump vulnerable to a man-in-the-middle (MITM) attack. | |||||
| CVE-2018-6374 | 1 Pulsesecure | 1 Desktop Linux Client | 2018-02-24 | 6.4 MEDIUM | 6.5 MEDIUM |
| The GUI component (aka PulseUI) in Pulse Secure Desktop Linux clients before PULSE5.2R9.2 and 5.3.x before PULSE5.3R4.2 does not perform strict SSL Certificate Validation. This can lead to the manipulation of the Pulse Connection set. | |||||
| CVE-2017-1000417 | 1 Matrixssl | 1 Matrixssl | 2018-02-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| MatrixSSL version 3.7.2 adopts a collision-prone OID comparison logic resulting in possible spoofing of OIDs (e.g. in ExtKeyUsage extension) on X.509 certificates. | |||||
| CVE-2017-6142 | 1 F5 | 1 Big-ip Advanced Firewall Manager | 2018-02-06 | 5.8 MEDIUM | 4.8 MEDIUM |
| X509 certificate verification was not correctly implemented in the early access "user id" feature in the F5 BIG-IP Advanced Firewall Manager versions 13.0.0, 12.1.0-12.1.2, and 11.6.0-11.6.2, and thus did not properly validate the remote server's identity on certain versions of BIG-IP. | |||||
| CVE-2018-5258 | 1 Banconeon | 1 Neon | 2018-02-02 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Neon app 1.6.14 iOS does not verify X.509 certificates from SSL servers, which allows remote attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2015-2981 | 1 Yodobashi | 1 Yodobashi | 2018-02-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Yodobashi App for Android 1.2.1.0 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2014-3607 | 1 Ldaptive | 2 Ldaptive, Vt-ldap | 2018-01-31 | 4.3 MEDIUM | 5.9 MEDIUM |
| DefaultHostnameVerifier in Ldaptive (formerly vt-ldap) does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | |||||
| CVE-2017-1000415 | 1 Matrixssl | 1 Matrixssl | 2018-01-26 | 4.3 MEDIUM | 5.9 MEDIUM |
| MatrixSSL version 3.7.2 has an incorrect UTCTime date range validation in its X.509 certificate validation process resulting in some certificates have their expiration (beginning) year extended (delayed) by 100 years. | |||||
| CVE-2017-17718 | 1 Net-ldap Project | 1 Net-ldap | 2018-01-05 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation. | |||||
| CVE-2017-17716 | 1 Gitlab | 1 Gitlab | 2018-01-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| GitLab 9.4.x before 9.4.2 does not support LDAP SSL certificate verification, but a verify_certificates LDAP option was mentioned in the 9.4 release announcement. This issue occurred because code was not merged. This is related to use of the omniauth-ldap library and the gitlab_omniauth-ldap gem. | |||||
| CVE-2014-3250 | 3 Apache, Puppet, Redhat | 3 Http Server, Puppet, Linux | 2017-12-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| The default vhost configuration file in Puppet before 3.6.2 does not include the SSLCARevocationCheck directive, which might allow remote attackers to obtain sensitive information via a revoked certificate when a Puppet master runs with Apache 2.4. | |||||
| CVE-2017-8213 | 1 Huawei | 2 Smc2.0, Smc2.0 Firmware | 2017-12-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| Huawei SMC2.0 with software of V100R003C10, V100R005C00SPC100, V100R005C00SPC101B001T, V100R005C00SPC102, V100R005C00SPC103, V100R005C00SPC200, V100R005C00SPC201T, V500R002C00, V600R006C00 has an input validation vulnerability when handle TLS and DTLS handshake with certificate. Due to the insufficient validation of received PKI certificates, remote attackers could exploit this vulnerability to crash the TLS module. | |||||
| CVE-2017-1000209 | 1 Nv-websocket-client Project | 1 Nv-websocket-client | 2017-12-05 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Java WebSocket client nv-websocket-client does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL/TLS servers via an arbitrary valid certificate. | |||||
| CVE-2014-7242 | 1 Ms-ins | 2 Sumaho, Sumaho Driving Capability Diagnosis | 2017-11-08 | 4.3 MEDIUM | 5.9 MEDIUM |
| The SumaHo application 3.0.0 and earlier for Android and the SumaHo "driving capability" diagnosis result transmission application 1.2.2 and earlier for Android allow man-in-the-middle attackers to spoof servers and obtain sensitive information by leveraging failure to verify SSL/TLS server certificates. | |||||
| CVE-2014-3706 | 1 Redhat | 1 Enterprise Mrg | 2017-11-07 | 4.3 MEDIUM | 5.9 MEDIUM |
| ovirt-engine, as used in Red Hat MRG 3, allows man-in-the-middle attackers to spoof servers by leveraging failure to verify key attributes in vdsm X.509 certificates. | |||||
| CVE-2015-6358 | 1 Cisco | 48 Pvc2300, Pvc2300 Firmware, Rtp300 and 45 more | 2017-11-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| Multiple Cisco embedded devices use hardcoded X.509 certificates and SSH host keys embedded in the firmware, which allows remote attackers to defeat cryptographic protection mechanisms and conduct man-in-the-middle attacks by leveraging knowledge of these certificates and keys from another installation, aka Bug IDs CSCuw46610, CSCuw46620, CSCuw46637, CSCuw46654, CSCuw46665, CSCuw46672, CSCuw46677, CSCuw46682, CSCuw46705, CSCuw46716, CSCuw46979, CSCuw47005, CSCuw47028, CSCuw47040, CSCuw47048, CSCuw47061, CSCuw90860, CSCuw90869, CSCuw90875, CSCuw90881, CSCuw90899, and CSCuw90913. | |||||
| CVE-2015-7778 | 1 Gurunavi | 1 Gournavi | 2017-10-26 | 4.3 MEDIUM | 5.9 MEDIUM |
| Gurunavi App for iOS before 6.0.0 does not verify SSL certificates which could allow remote attackers to perform man-in-the-middle attacks. | |||||
| CVE-2017-14582 | 1 Zohocorp | 1 Site24x7 Mobile Network Poller | 2017-10-10 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Zoho Site24x7 Mobile Network Poller application before 1.1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a self-signed certificate. | |||||
| CVE-2015-0874 | 3 Apple, Google, Okb | 3 Iphone Os, Android, Smart Passbook | 2017-10-10 | 4.3 MEDIUM | 5.9 MEDIUM |
| Smartphone Passbook 1.0.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to obtain sensitive information from encrypted communications via a crafted certificate. | |||||
| CVE-2015-7785 | 1 Comicsmart | 1 Ganma\! | 2017-10-06 | 4.3 MEDIUM | 5.9 MEDIUM |
| GANMA! App for iOS does not verify SSL certificates. | |||||
| CVE-2015-5666 | 1 Ana | 1 All Nippon Airways | 2017-10-06 | 4.3 MEDIUM | 5.9 MEDIUM |
| ANA App for Android 3.1.1 and earlier, and ANA App for iOS 3.3.6 and earlier does not verify SSL certificates. | |||||
| CVE-2015-3420 | 2 Dovecot, Fedoraproject | 2 Dovecot, Fedora | 2017-10-05 | 4.3 MEDIUM | 5.9 MEDIUM |
| The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is disabled, allow remote attackers to cause a denial of service (login process crash) via vectors related to handshake failures. | |||||
| CVE-2016-10511 | 1 Twitter | 1 Twitter | 2017-10-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Twitter iOS client versions 6.62 and 6.62.1 fail to validate Twitter's server certificates for the /1.1/help/settings.json configuration endpoint, permitting man-in-the-middle attackers the ability to view an application-only OAuth client token and potentially enable unreleased Twitter iOS app features. | |||||
| CVE-2017-7971 | 1 Schneider-electric | 3 Citect Anywhere, Powerscada Anywhere, Powerscada Expert | 2017-09-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability exists in Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 that allows the use of outdated cipher suites and improper verification of peer SSL Certificate. | |||||
| CVE-2015-2943 | 1 Honda | 1 Moto Linc | 2017-09-08 | 4.3 MEDIUM | 5.9 MEDIUM |
| Honda Moto LINC 1.6.1 does not verify SSL certificates. | |||||
| CVE-2015-0210 | 1 W1.fi | 1 Wpa Supplicant | 2017-08-31 | 4.3 MEDIUM | 5.9 MEDIUM |
| wpa_supplicant 2.0-16 does not properly check certificate subject name, which allows remote attackers to cause a man-in-the-middle attack. | |||||
| CVE-2015-2674 | 1 Restkit | 1 Restkit | 2017-08-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| Restkit allows man-in-the-middle attackers to spoof TLS servers by leveraging use of the ssl.wrap_socket function in Python with the default CERT_NONE value for the cert_reqs argument. | |||||
| CVE-2017-2278 | 3 Apple, Google, Iid | 3 Iphone Os, Android, Rbb Speed Test | 2017-08-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| The RBB SPEED TEST App for Android version 2.0.3 and earlier, RBB SPEED TEST App for iOS version 2.1.0 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||