Total
501 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-2764 | 2025-04-23 | N/A | 8.0 HIGH | ||
| CarlinKit CPC200-CCPA update.cgi Improper Verification of Cryptographic Signature Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of CarlinKit CPC200-CCPA devices. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of update packages provided to update.cgi. The issue results from the lack of proper verification of a cryptographic signature. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-24355. | |||||
| CVE-2025-2763 | 2025-04-23 | N/A | 6.8 MEDIUM | ||
| CarlinKit CPC200-CCPA Improper Verification of Cryptographic Signature Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of CarlinKit CPC200-CCPA devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of update packages on USB drives. The issue results from the lack of proper verification of a cryptographic signature. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-24356. | |||||
| CVE-2022-42793 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2025-04-22 | N/A | 5.5 MEDIUM |
| An issue in code signature validation was addressed with improved checks. This issue is fixed in macOS Big Sur 11.7, macOS Ventura 13, iOS 16, iOS 15.7 and iPadOS 15.7, macOS Monterey 12.6. An app may be able to bypass code signing checks. | |||||
| CVE-2025-43903 | 2025-04-21 | N/A | 4.3 MEDIUM | ||
| NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries. | |||||
| CVE-2017-8177 | 1 Huawei | 1 Hiwallet | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| Huawei APP HiWallet earlier than 5.0.3.100 versions do not support signature verification for APK file. An attacker could exploit this vulnerability to hijack the APK and upload modified APK file. Successful exploit could lead to the APP is hijacking. | |||||
| CVE-2017-5066 | 5 Apple, Google, Linux and 2 more | 8 Macos, Android, Chrome and 5 more | 2025-04-20 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient consistency checks in signature handling in the networking stack in Google Chrome prior to 58.0.3029.81 for Mac, Windows, and Linux, and 58.0.3029.83 for Android, allowed a remote attacker to incorrectly accept a badly formed X.509 certificate via a crafted HTML page. | |||||
| CVE-2017-16853 | 2 Debian, Shibboleth | 2 Debian Linux, Opensaml | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
| The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka CPPOST-105. | |||||
| CVE-2016-8021 | 1 Mcafee | 1 Virusscan Enterprise | 2025-04-20 | 3.5 LOW | 5.0 MEDIUM |
| Improper verification of cryptographic signature vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote authenticated users to spoof update server and execute arbitrary code via a crafted input file. | |||||
| CVE-2017-12974 | 1 Connect2id | 1 Nimbus Jose\+jwt | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation. | |||||
| CVE-2014-9934 | 1 Google | 1 Android | 2025-04-20 | 9.3 HIGH | 7.8 HIGH |
| A PKCS#1 v1.5 signature verification routine in all Android releases from CAF using the Linux kernel may not check padding. | |||||
| CVE-2017-11400 | 1 Belden | 2 Tofino Xenon Security Appliance, Tofino Xenon Security Appliance Firmware | 2025-04-20 | 7.2 HIGH | 6.8 MEDIUM |
| An issue has been discovered on the Belden Hirschmann Tofino Xenon Security Appliance before 03.2.00. An incomplete firmware signature allows a local attacker to upgrade the equipment (kernel, file system) with unsigned, attacker-controlled, data. This occurs because the appliance_config file is signed but the .tar.sec file is unsigned. | |||||
| CVE-2017-12331 | 1 Cisco | 2 Nx-os, Unified Computing System | 2025-04-20 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in Cisco NX-OS System Software could allow an authenticated, local attacker to bypass signature verification when loading a software patch. The vulnerability is due to insufficient NX-OS signature verification for software patches. An authenticated, local attacker could exploit this vulnerability to bypass signature verification and load a crafted, unsigned software patch on a targeted device. The attacker would need valid administrator credentials to perform this exploit. This vulnerability affects the following products running Cisco NX-OS System Software: Multilayer Director Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Unified Computing System Manager. Cisco Bug IDs: CSCvf16494, CSCvf23655. | |||||
| CVE-2017-17847 | 2 Debian, Enigmail | 2 Debian Linux, Enigmail | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Enigmail before 1.9.9. Signature spoofing is possible because the UI does not properly distinguish between an attachment signature, and a signature that applies to the entire containing message, aka TBE-01-021. This is demonstrated by an e-mail message with an attachment that is a signed e-mail message in message/rfc822 format. | |||||
| CVE-2017-13083 | 1 Rufus Project | 1 Rufus | 2025-04-20 | 6.8 MEDIUM | 5.3 MEDIUM |
| Akeo Consulting Rufus prior to version 2.17.1187 does not adequately validate the integrity of updates downloaded over HTTP, allowing an attacker to easily convince a user to execute arbitrary code | |||||
| CVE-2017-12333 | 1 Cisco | 2 Nx-os, Unified Computing System | 2025-04-20 | 4.6 MEDIUM | 6.7 MEDIUM |
| A vulnerability in Cisco NX-OS System Software could allow an authenticated, local attacker to bypass signature verification when loading a software image. The vulnerability is due to insufficient NX-OS signature verification for software images. An authenticated, local attacker could exploit this vulnerability to bypass signature verification and load a crafted, unsigned software image on a targeted device. The attacker would need valid administrator credentials to perform this exploit. This vulnerability affects the following products running Cisco NX-OS System Software: Multilayer Director Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Unified Computing System Manager. Cisco Bug IDs: CSCvf25045, CSCvf31495. | |||||
| CVE-2017-8190 | 1 Huawei | 1 Fusionsphere Openstack | 2025-04-20 | 4.6 MEDIUM | 6.7 MEDIUM |
| FusionSphere OpenStack V100R006C00SPC102(NFV)has an improper verification of cryptographic signature vulnerability. The software does not verify the cryptographic signature. An attacker with high privilege may exploit this vulnerability to inject malicious software. | |||||
| CVE-2017-6445 | 1 Openelec | 1 Openelec | 2025-04-20 | 7.6 HIGH | 8.1 HIGH |
| The auto-update feature of Open Embedded Linux Entertainment Center (OpenELEC) 6.0.3, 7.0.1, and 8.0.4 uses neither encrypted connections nor signed updates. A man-in-the-middle attacker could manipulate the update packages to gain root access remotely. | |||||
| CVE-2017-17848 | 2 Debian, Enigmail | 2 Debian Linux, Enigmail | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Enigmail before 1.9.9. In a variant of CVE-2017-17847, signature spoofing is possible for multipart/related messages because a signed message part can be referenced with a cid: URI but not actually displayed. In other words, the entire containing message appears to be signed, but the recipient does not see any of the signed text. | |||||
| CVE-2017-2423 | 1 Apple | 2 Iphone Os, Mac Os X | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in certain Apple products. iOS before 10.3 is affected. macOS before 10.12.4 is affected. The issue involves the "Security" component. It allows remote attackers to bypass intended access restrictions by leveraging a successful result from a SecKeyRawVerify API call with an empty signature. | |||||
| CVE-2017-16852 | 2 Debian, Shibboleth | 2 Debian Linux, Service Provider | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
| shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka SSPCPP-763. | |||||