Total
1202 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-53846 | 2024-12-05 | N/A | 5.5 MEDIUM | ||
| OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and OTP-27.0, resulting in a server or client verifying the peer when incorrect extended key usage is presented (i.e., a server will verify a client if they have server auth ext key usage and vice versa). | |||||
| CVE-2024-45205 | 2024-12-04 | N/A | 7.1 HIGH | ||
| An Improper Certificate Validation on the UniFi iOS App managing a standalone UniFi Access Point (not using UniFi Network Application) could allow a malicious actor with access to an adjacent network to take control of this UniFi Access Point. Affected Products: UniFi iOS App (Version 10.17.7 and earlier) Mitigation: UniFi iOS App (Version 10.18.0 or later). | |||||
| CVE-2024-27323 | 1 Pdf-xchange | 2 Pdf-tools, Pdf-xchange Editor | 2024-12-03 | N/A | 7.5 HIGH |
| PDF-XChange Editor Updater Improper Certificate Validation Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is not required to exploit this vulnerability. The specific flaw exists within the update functionality. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22224. | |||||
| CVE-2020-3557 | 1 Cisco | 1 Secure Firewall Management Center | 2024-11-26 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the host input API daemon of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper certificate validation. An attacker could exploit this vulnerability by sending a crafted data stream to the host input daemon of the affected device. A successful exploit could allow the attacker to cause the host input daemon to restart. The attacker could use repeated attacks to cause the daemon to continuously reload, creating a DoS condition for the API. | |||||
| CVE-2014-7143 | 1 Twisted | 1 Twisted | 2024-11-25 | 5.0 MEDIUM | 7.5 HIGH |
| Python Twisted 14.0 trustRoot is not respected in HTTP client | |||||
| CVE-2019-12855 | 1 Twisted | 1 Twisted | 2024-11-25 | 5.8 MEDIUM | 7.4 HIGH |
| In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections. | |||||
| CVE-2024-8007 | 1 Redhat | 1 Openstack Platform | 2024-11-25 | N/A | 8.1 HIGH |
| A flaw was found in the openstack-tripleo-common component of the Red Hat OpenStack Platform (RHOSP) director. This vulnerability allows an attacker to deploy potentially compromised container images via disabling TLS certificate verification for registry mirrors, which could enable a man-in-the-middle (MITM) attack. | |||||
| CVE-2024-48915 | 2024-11-21 | N/A | N/A | ||
| Agent Dart is an agent library built for Internet Computer for Dart and Flutter apps. Prior to version 1.0.0-dev.29, certificate verification in `lib/agent/certificate.dart` does not occur properly. During the delegation verification in the `_checkDelegation` function, the canister_ranges aren't verified. The impact of not checking the canister_ranges is that a subnet can sign canister responses in behalf of another subnet. The certificate’s timestamp, i.e /time path, is also not verified, meaning that the certificate effectively has no expiration time. Version 1.0.0-dev.29 implements appropriate certificate verification. | |||||
| CVE-2023-6057 | 1 Bitdefender | 1 Total Security | 2024-11-21 | N/A | 7.4 HIGH |
| A vulnerability has been discovered in Bitdefender Total Security HTTPS scanning functionality that results in the improper trust of certificates issued using the DSA signature algorithm. The product does not properly check the certificate chain, allowing an attacker to establish MITM SSL connections to arbitrary sites using a DSA-signed certificate. | |||||
| CVE-2024-5261 | 2024-11-21 | N/A | N/A | ||
| Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification LibreOfficeKit can be used for accessing LibreOffice functionality through C/C++. Typically this is used by third party components to reuse LibreOffice as a library to convert, view or otherwise interact with documents. LibreOffice internally makes use of "curl" to fetch remote resources such as images hosted on webservers. In affected versions of LibreOffice, when used in LibreOfficeKit mode only, then curl's TLS certification verification was disabled (CURLOPT_SSL_VERIFYPEER of false) In the fixed versions curl operates in LibreOfficeKit mode the same as in standard mode with CURLOPT_SSL_VERIFYPEER of true. This issue affects LibreOffice before version 24.2.4. | |||||
| CVE-2024-4786 | 2024-11-21 | N/A | 2.8 LOW | ||
| An improper validation vulnerability was reported in the Lenovo Tab K10 that could allow a specially crafted application to keep the device on. | |||||
| CVE-2024-4063 | 2024-11-21 | 2.6 LOW | 3.7 LOW | ||
| A vulnerability was found in EZVIZ CS-C6-21WFR-8 5.2.7 Build 170628. It has been classified as problematic. This affects an unknown part of the component Davinci Application. The manipulation leads to improper certificate validation. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The identifier VDB-261789 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-4062 | 2024-11-21 | 2.6 LOW | 3.7 LOW | ||
| A vulnerability was found in Hualai Xiaofang iSC5 3.2.2_112 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to improper certificate validation. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The identifier of this vulnerability is VDB-261788. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-39698 | 1 Electron | 1 Electron-builder | 2024-11-21 | N/A | 7.5 HIGH |
| electron-updater allows for automatic updates for Electron apps. The file `packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts` implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by `cmd.exe` expands any environment variable found in command-line above. This creates a situation where `verifySignature()` can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid. This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.). The patch is available starting from 6.3.0-alpha.6. | |||||
| CVE-2024-37865 | 1 S3browser | 1 S3 Browser | 2024-11-21 | N/A | 5.9 MEDIUM |
| An issue in S3Browser v.11.4.5 and v.10.9.9 and fixed in v.11.5.7 allows a remote attacker to obtain sensitive information via the S3 compatible storage component. | |||||
| CVE-2024-33509 | 1 Fortinet | 1 Fortiweb | 2024-11-21 | N/A | 4.8 MEDIUM |
| An improper certificate validation vulnerability [CWE-295] in FortiWeb 7.2.0 through 7.2.1, 7.0 all versions, 6.4 all versions and 6.3 all versions may allow a remote and unauthenticated attacker in a Man-in-the-Middle position to decipher and/or tamper with the communication channel between the device and different endpoints used to fetch data for Web Application Firewall (WAF). | |||||
| CVE-2024-29887 | 2024-11-21 | N/A | 7.4 HIGH | ||
| Serverpod is an app and web server, built for the Flutter and Dart ecosystem. This bug bypassed the validation of TSL certificates on all none web HTTP clients in the `serverpod_client` package. Making them susceptible to a man in the middle attack against encrypted traffic between the client device and the server. An attacker would need to be able to intercept the traffic and highjack the connection to the server for this vulnerability to be used. Upgrading to version `1.2.6` resolves this issue. | |||||
| CVE-2024-28067 | 1 Samsung | 2 Exynos Modem 5300, Exynos Modem 5300 Firmware | 2024-11-21 | N/A | 5.3 MEDIUM |
| A vulnerability in Samsung Exynos Modem 5300 allows a Man-in-the-Middle (MITM) attacker to downgrade the security mode of packets going to the victim, enabling the attacker to send messages to the victim in plaintext. | |||||
| CVE-2024-28021 | 1 Hitachienergy | 3 Foxman-un, Foxman Un, Unem | 2024-11-21 | N/A | 7.4 HIGH |
| A vulnerability exists in the FOXMAN-UN/UNEM server that affects the message queueing mechanism’s certificate validation. If exploited an attacker could spoof a trusted entity causing a loss of confidentiality and integrity. | |||||
| CVE-2024-27440 | 2024-11-21 | N/A | 4.8 MEDIUM | ||
| The Toyoko Inn official App for iOS versions prior to 1.13.0 and Toyoko Inn official App for Android versions prior 1.3.14 don't properly verify server certificates, which allows a man-in-the-middle attacker to spoof servers and obtain sensitive information via a crafted certificate. | |||||