Search
Total
2502 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-3750 | 1 Bilyoner | 1 Bilyoner | 2014-05-16 | 5.8 MEDIUM | N/A |
| The Bilyoner application before 2.3.1 for Android and before 4.6.2 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2014-2046 | 1 Broadcom | 2 Pipa C211, Pipa C211 Web Interface | 2014-05-14 | 9.7 HIGH | N/A |
| cgi-bin/rpcBridge in the web interface 1.1 on Broadcom Ltd PIPA C211 rev2 does not properly restrict access, which allows remote attackers to (1) obtain credentials and other sensitive information via a certain request to the config.getValuesHashExcludePaths method or (2) modify the firmware via unspecified vectors. | |||||
| CVE-2010-4832 | 1 Google | 1 Android | 2014-05-14 | 4.3 MEDIUM | N/A |
| Android OS before 2.2 does not display the correct SSL certificate in certain cases, which might allow remote attackers to spoof trusted web sites via a web page containing references to external sources in which (1) the certificate of the last loaded resource is checked, instead of for the main page, or (2) later certificates are not checked when the HTTPS connection is reused. | |||||
| CVE-2013-0173 | 1 Theforeman | 1 Foreman | 2014-05-08 | 5.0 MEDIUM | N/A |
| Foreman before 1.1 uses a salt of "foreman" to hash root passwords, which makes it easier for attackers to guess the password via a brute force attack. | |||||
| CVE-2014-2992 | 1 Misli | 1 Misli.com App | 2014-05-05 | 6.4 MEDIUM | N/A |
| The Misli.com application for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2014-1263 | 1 Apple | 1 Mac Os X | 2014-05-05 | 4.3 MEDIUM | N/A |
| curl and libcurl 7.27.0 through 7.35.0, when using the SecureTransport/Darwinssl backend, as used in in Apple OS X 10.9.x before 10.9.2, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate. | |||||
| CVE-2014-0361 | 1 Toshibacommerce | 1 4690 Point Of Sale Operating System | 2014-05-05 | 3.0 LOW | N/A |
| The default configuration of IBM 4690 OS, as used in Toshiba Global Commerce Solutions 4690 POS and other products, hashes passwords with the ADXCRYPT algorithm, which makes it easier for context-dependent attackers to obtain sensitive information via unspecified cryptanalysis of an ADXCSOUF.DAT file. | |||||
| CVE-2014-0646 | 1 Emc | 1 Rsa Access Manager | 2014-05-02 | 6.9 MEDIUM | N/A |
| The runtime WS component in the server in EMC RSA Access Manager 6.1.3 before 6.1.3.39, 6.1.4 before 6.1.4.22, 6.2.0 before 6.2.0.11, and 6.2.1 before 6.2.1.03, when INFO logging is enabled, allows local users to discover cleartext passwords by reading log files. | |||||
| CVE-2014-0786 | 1 Ecava | 1 Integraxor | 2014-05-01 | 5.0 MEDIUM | N/A |
| Ecava IntegraXor before 4.1.4393 allows remote attackers to read cleartext credentials for administrative accounts via SELECT statements that leverage the guest role. | |||||
| CVE-2013-7372 | 2 Apache, Google | 2 Harmony, Android | 2014-04-30 | 5.0 MEDIUM | N/A |
| The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013. | |||||
| CVE-2014-0036 | 1 Amos Benari | 1 Rbovirt | 2014-04-18 | 6.8 MEDIUM | N/A |
| The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors. | |||||
| CVE-2014-1210 | 1 Vmware | 1 Vsphere Client | 2014-04-14 | 5.8 MEDIUM | N/A |
| VMware vSphere Client 5.0 before Update 3 and 5.1 before Update 2 does not properly validate X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate. | |||||
| CVE-2013-6659 | 1 Google | 1 Chrome | 2014-04-01 | 6.4 MEDIUM | N/A |
| The SSLClientSocketNSS::Core::OwnAuthCertHandler function in net/socket/ssl_client_socket_nss.cc in Google Chrome before 33.0.1750.117 does not prevent changes to server X.509 certificates during renegotiations, which allows remote SSL servers to trigger use of a new certificate chain, inconsistent with the user's expectations, by initiating a TLS renegotiation. | |||||
| CVE-2014-0017 | 1 Libssh | 1 Libssh | 2014-03-26 | 1.9 LOW | N/A |
| The RAND_bytes function in libssh before 0.6.3, when forking is enabled, does not properly reset the state of the OpenSSL pseudo-random number generator (PRNG), which causes the state to be shared between children processes and allows local users to obtain sensitive information by leveraging a pid collision. | |||||
| CVE-2013-1619 | 1 Gnu | 1 Gnutls | 2014-03-26 | 4.0 MEDIUM | N/A |
| The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. | |||||
| CVE-2012-0390 | 1 Gnu | 1 Gnutls | 2014-03-26 | 4.3 MEDIUM | N/A |
| The DTLS implementation in GnuTLS 3.0.10 and earlier executes certain error-handling code only if there is a specific relationship between a padding length and the ciphertext size, which makes it easier for remote attackers to recover partial plaintext via a timing side-channel attack, a related issue to CVE-2011-4108. | |||||
| CVE-2014-1976 | 1 Yumenomachi | 1 Demaecan | 2014-03-18 | 5.8 MEDIUM | N/A |
| The Demaecan application 2.1.0 and earlier for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2013-4579 | 1 Linux | 1 Linux Kernel | 2014-03-16 | 4.3 MEDIUM | N/A |
| The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC addresses on which a Wi-Fi device is listening, which allows remote attackers to discover the original MAC address after spoofing by sending a series of packets to MAC addresses with certain bit manipulations. | |||||
| CVE-2014-2319 | 1 Powerarchiver | 1 Powerarchiver | 2014-03-14 | 5.0 MEDIUM | N/A |
| The Encrypt Files feature in ConeXware PowerArchiver before 14.02.05 uses legacy ZIP encryption even if the AES 256-bit selection is chosen, which makes it easier for context-dependent attackers to obtain sensitive information via a known-plaintext attack. | |||||
| CVE-2013-3712 | 1 Suse | 2 Studio Extension For System Z, Studio Onsite | 2014-03-10 | 10.0 HIGH | N/A |
| SUSE Studio Onsite 1.3.x before 1.3.6 and SUSE Studio Extension for System z 1.3 uses "static" secret tokens, which has unspecified impact and vectors. | |||||
| CVE-2013-1921 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2014-03-08 | 1.9 LOW | N/A |
| PicketBox, as used in Red Hat JBoss Enterprise Application Platform before 6.1.1, allows local users to obtain the admin encryption key by reading the Vault data file. | |||||
| CVE-2013-6950 | 1 Belkin | 1 Wemo Home Automation Firmware | 2014-03-06 | 7.8 HIGH | N/A |
| The Belkin WeMo Home Automation firmware before 3949 does not use SSL for the distribution feed, which allows man-in-the-middle attackers to install arbitrary firmware by spoofing a distribution server. | |||||
| CVE-2013-6952 | 1 Belkin | 1 Wemo Home Automation Firmware | 2014-03-06 | 10.0 HIGH | N/A |
| The Belkin WeMo Home Automation firmware before 3949 has a hardcoded GPG key, which makes it easier for remote attackers to spoof firmware updates and execute arbitrary code via crafted signed data. | |||||
| CVE-2011-3588 | 1 Redhat | 1 Kexec-tools | 2014-03-06 | 5.7 MEDIUM | N/A |
| The SSH configuration in the Red Hat mkdumprd script for kexec-tools, as distributed in the kexec-tools 1.x before 1.102pre-154 and 2.x before 2.0.0-209 packages in Red Hat Enterprise Linux, disables the StrictHostKeyChecking option, which allows man-in-the-middle attackers to spoof kdump servers, and obtain sensitive core information, by using an arbitrary SSH key. | |||||
| CVE-2011-3590 | 1 Redhat | 1 Kexec-tools | 2014-03-06 | 5.7 MEDIUM | N/A |
| The Red Hat mkdumprd script for kexec-tools, as distributed in the kexec-tools 1.x before 1.102pre-154 and 2.x before 2.0.0-209 packages in Red Hat Enterprise Linux, includes all of root's SSH private keys within a vmcore file, which allows context-dependent attackers to obtain sensitive information by inspecting the file content. | |||||
| CVE-2011-3589 | 1 Redhat | 1 Kexec-tools | 2014-03-06 | 5.7 MEDIUM | N/A |
| The Red Hat mkdumprd script for kexec-tools, as distributed in the kexec-tools 1.x before 1.102pre-154 and 2.x before 2.0.0-209 packages in Red Hat Enterprise Linux, uses world-readable permissions for vmcore files, which allows local users to obtain sensitive information by inspecting the file content, as demonstrated by a search for a root SSH key. | |||||
| CVE-2013-2319 | 1 Filemaker | 2 Filemaker Pro, Filemaker Pro Advanced | 2014-03-05 | 5.8 MEDIUM | N/A |
| FileMaker Pro before 12 and Pro Advanced before 12 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2012-1251 | 1 Opera | 1 Opera Browser | 2014-03-05 | 5.8 MEDIUM | N/A |
| Opera before 9.63 does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2013-3641 | 1 Pizzahut | 1 Pizza Hut Japan Official Order Application | 2014-03-05 | 5.8 MEDIUM | N/A |
| The Pizza Hut Japan Official Order application before 1.1.1.a for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2013-4699 | 1 Yahoo | 1 Yafuoku\! | 2014-03-05 | 5.8 MEDIUM | N/A |
| The Yahoo! Japan Yafuoku! application 4.3.0 and earlier for iOS and Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2013-4700 | 1 Yahoo | 1 Japan Shopping | 2014-03-05 | 5.8 MEDIUM | N/A |
| The Yahoo! Japan Shopping application 1.4 and earlier for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2013-1651 | 1 Open-xchange | 1 Open-xchange Server | 2014-03-05 | 5.8 MEDIUM | N/A |
| OXUpdater in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof update servers and install arbitrary software via a crafted certificate. | |||||
| CVE-2013-1228 | 1 Cisco | 1 Jabber | 2014-03-05 | 4.3 MEDIUM | N/A |
| Cisco Jabber on Windows does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and modify the client-server data stream via a crafted certificate, aka Bug ID CSCug30280. | |||||
| CVE-2013-5999 | 1 Kingsoft | 1 Kdrive | 2014-03-05 | 5.8 MEDIUM | N/A |
| Kingsoft KDrive Personal before 1.21.0.1880 on Windows does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2014-1967 | 1 7andi-fs.co | 1 Denny\'s | 2014-02-27 | 5.8 MEDIUM | N/A |
| The Denny's application before 2.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2013-6812 | 1 Nextdc | 1 Onedc | 2014-02-27 | 5.8 MEDIUM | N/A |
| The ONEDC app before 1.7 for iOS does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2013-1853 | 1 Almanah Project | 1 Almanah | 2014-02-25 | 2.1 LOW | N/A |
| Almanah Diary 0.9.0 and 0.10.0 does not encrypt the database when closed, which allows local users to obtain sensitive information by reading the database. | |||||
| CVE-2013-6951 | 1 Belkin | 1 Wemo Home Automation Firmware | 2014-02-24 | 7.1 HIGH | N/A |
| The Belkin WeMo Home Automation firmware before 3949 does not maintain a set of Certification Authority public keys, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary X.509 certificate. | |||||
| CVE-2013-1623 | 1 Yassl | 1 Cyassl | 2014-02-21 | 4.3 MEDIUM | N/A |
| The TLS and DTLS implementations in wolfSSL CyaSSL before 2.5.0 do not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. | |||||
| CVE-2013-6396 | 1 Openstack | 1 Swift | 2014-02-21 | 5.8 MEDIUM | N/A |
| The OpenStack Python client library for Swift (python-swiftclient) 1.0 through 1.9.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2011-4083 | 1 Redhat | 1 Sos | 2014-02-19 | 4.3 MEDIUM | N/A |
| The sosreport utility in the Red Hat sos package before 1.7-9 and 2.x before 2.2-17 includes (1) Certificate-based Red Hat Network private entitlement keys and the (2) private key for the entitlement in an archive of debugging information, which might allow remote attackers to obtain sensitive information by reading the archive. | |||||
| CVE-2013-7295 | 1 Torproject | 1 Tor | 2014-02-12 | 4.0 MEDIUM | N/A |
| Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge platforms, does not properly generate random numbers for (1) relay identity keys and (2) hidden-service identity keys, which might make it easier for remote attackers to bypass cryptographic protection mechanisms via unspecified vectors. | |||||
| CVE-2012-3514 | 1 Nicolas Cannasse | 1 Ocaml Xml-light Library | 2014-02-12 | 5.0 MEDIUM | N/A |
| OCaml Xml-Light Library before r234 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via unspecified vectors. | |||||
| CVE-2013-6838 | 2 Enghouseinteractive, Openvz | 2 Ivr Pro, Vzkernel | 2014-01-31 | 10.0 HIGH | N/A |
| An unspecified Enghouse Interactive Professional Services "addon product" in Enghouse Interactive IVR Pro (VIP2000) 9.0.3 (rel903), when using OpenVZ and fallback customization, uses the same SSH private key across different customers' installations, which allows remote attackers to gain privileges by leveraging knowledge of this key. | |||||
| CVE-2013-1769 | 1 Simon Mcvittie | 1 Telepathy Gabble | 2014-01-22 | 5.0 MEDIUM | N/A |
| A certain hashing algorithm in Telepathy Gabble 0.16.x before 0.16.5 and 0.17.x before 0.17.3 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted message. | |||||
| CVE-2013-7075 | 1 Typo3 | 1 Typo3 | 2014-01-14 | 6.5 MEDIUM | N/A |
| The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote authenticated backend users to unserialize arbitrary PHP objects, delete arbitrary files, and possibly have other unspecified impacts via an unspecified parameter, related to a "missing signature." | |||||
| CVE-2013-6386 | 1 Drupal | 1 Drupal | 2014-01-14 | 6.8 MEDIUM | N/A |
| Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack. | |||||
| CVE-2012-2126 | 3 Canonical, Redhat, Rubygems | 3 Ubuntu Linux, Openshift, Rubygems | 2014-01-14 | 4.3 MEDIUM | N/A |
| RubyGems before 1.8.23 does not verify an SSL certificate, which allows remote attackers to modify a gem during installation via a man-in-the-middle attack. | |||||
| CVE-2013-6181 | 1 Emc | 1 Watch4net | 2014-01-08 | 2.1 LOW | N/A |
| EMC Watch4Net before 6.3 stores cleartext polled-device passwords in the installation repository, which allows local users to obtain sensitive information by leveraging repository privileges. | |||||
| CVE-2012-2898 | 2 Apple, Google | 2 Ipad2, Chrome | 2014-01-07 | 5.0 MEDIUM | N/A |
| Google Chrome before 21.0.1180.82 on iOS on iPad devices allows remote attackers to spoof the Omnibox URL via vectors involving SSL error messages, a related issue to CVE-2012-0674. | |||||