Total
987 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-23167 | 1 Gallagher | 1 Command Centre | 2021-11-23 | 4.3 MEDIUM | 6.8 MEDIUM |
| Improper certificate validation vulnerability in SMTP Client allows man-in-the-middle attack to retrieve sensitive information from the Command Centre Server. This issue affects: Gallagher Command Centre 8.50 versions prior to 8.50.2048 (MR3); 8.40 versions prior to 8.40.2063 (MR4); 8.30 versions prior to 8.30.1454 (MR4) ; version 8.20 and prior versions. | |||||
| CVE-2021-23162 | 1 Gallagher | 1 Command Centre Mobile Connect | 2021-11-23 | 6.8 MEDIUM | 8.1 HIGH |
| Improper validation of the cloud certificate chain in Mobile Connect allows man-in-the-middle attack to impersonate the legitimate Command Centre Server. This issue affects: Gallagher Command Centre Mobile Connect for Android 15 versions prior to 15.04.040; version 14 and prior versions. | |||||
| CVE-2021-26320 | 1 Amd | 114 Epyc 7232p, Epyc 7232p Firmware, Epyc 7251 and 111 more | 2021-11-18 | 2.1 LOW | 5.5 MEDIUM |
| Insufficient validation of the AMD SEV Signing Key (ASK) in the SEND_START command in the SEV Firmware may allow a local authenticated attacker to perform a denial of service of the PSP | |||||
| CVE-2020-15133 | 1 Faye-websocket Project | 1 Faye-websocket | 2021-11-18 | 5.8 MEDIUM | 8.7 HIGH |
| In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The `Faye::WebSocket::Client` class uses the `EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `wss:` connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. For further background information on this issue, please see the referenced GitHub Advisory. Upgrading `faye-websocket` to v0.11.0 is recommended. | |||||
| CVE-2015-4094 | 1 Thycotic | 1 Secret Server | 2021-11-09 | 5.8 MEDIUM | N/A |
| The Thycotic Password Manager Secret Server application through 2.3 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2021-41019 | 1 Fortinet | 1 Fortios | 2021-11-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| An improper validation of certificate with host mismatch [CWE-297] vulnerability in FortiOS versions 6.4.6 and below may allow the connection to a malicious LDAP server via options in GUI, leading to disclosure of sensitive information, such as AD credentials. | |||||
| CVE-2021-36756 | 1 Northern.tech | 1 Cfengine | 2021-11-04 | 6.4 MEDIUM | 6.5 MEDIUM |
| CFEngine Enterprise 3.15.0 through 3.15.4 has Missing SSL Certificate Validation. | |||||
| CVE-2019-19101 | 1 Br-automation | 1 Automation Studio | 2021-11-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| A missing secure communication definition and an incomplete TLS validation in the upgrade service in B&R Automation Studio versions 4.0.x, 4.1.x, 4.2.x, < 4.3.11SP, < 4.4.9SP, < 4.5.5SP, < 4.6.4 and < 4.7.2 enable unauthenticated users to perform MITM attacks via the B&R upgrade server. | |||||
| CVE-2021-29737 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2021-11-03 | 5.0 MEDIUM | 7.5 HIGH |
| IBM InfoSphere Data Flow Designer Engine (IBM InfoSphere Information Server 11.7 ) component has improper validation of the REST API server certificate. IBM X-Force ID: 201301. | |||||
| CVE-2019-1940 | 1 Cisco | 1 Industrial Network Director | 2021-10-29 | 4.3 MEDIUM | 5.9 MEDIUM |
| A vulnerability in the Web Services Management Agent (WSMA) feature of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data using an invalid X.509 certificate. The vulnerability is due to insufficient X.509 certificate validation when establishing a WSMA connection. An attacker could exploit this vulnerability by supplying a crafted X.509 certificate during the WSMA connection setup phase. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt confidential information on WSMA connections to the affected software. At the time of publication, this vulnerability affected Cisco IND Software releases prior to 1.7. | |||||
| CVE-2021-20833 | 1 Soda-inc | 1 Snkrdunk | 2021-10-19 | 5.8 MEDIUM | 7.4 HIGH |
| The SNKRDUNK Market Place App for iOS versions prior to 2.2.0 does not verify server certificate properly, which allows man-in-the-middle attackers to eavesdrop on and/or alter encrypted communication via a crafted certificate. | |||||
| CVE-2021-25634 | 2 Debian, Libreoffice | 2 Debian Linux, Libreoffice | 2021-10-18 | 5.0 MEDIUM | 7.5 HIGH |
| LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to modify a digitally signed ODF document to insert an additional signing time timestamp which LibreOffice would incorrectly present as a valid signature signed at the bogus signing time. This issue affects: The Document Foundation LibreOffice 7-0 versions prior to 7.0.6; 7-1 versions prior to 7.1.2. | |||||
| CVE-2021-25633 | 2 Debian, Libreoffice | 2 Debian Linux, Libreoffice | 2021-10-18 | 5.0 MEDIUM | 7.5 HIGH |
| LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to combine multiple certificate data, which when opened caused LibreOffice to display a validly signed indicator but whose content was unrelated to the signature shown. This issue affects: The Document Foundation LibreOffice 7-0 versions prior to 7.0.6; 7-1 versions prior to 7.1.2. | |||||
| CVE-2020-11050 | 1 Java-websocket Project | 1 Java-websocket | 2021-10-07 | 6.8 MEDIUM | 8.1 HIGH |
| In Java-WebSocket less than or equal to 1.4.1, there is an Improper Validation of Certificate with Host Mismatch where WebSocketClient does not perform SSL hostname validation. This has been patched in 1.5.0. | |||||
| CVE-2021-33907 | 1 Zoom | 1 Meetings | 2021-10-06 | 10.0 HIGH | 9.8 CRITICAL |
| The Zoom Client for Meetings for Windows in all versions before 5.3.0 fails to properly validate the certificate information used to sign .msi files when performing an update of the client. This could lead to remote code execution in an elevated privileged context. | |||||
| CVE-2021-40713 | 1 Adobe | 1 Experience Manager | 2021-10-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| Adobe Experience Manager version 6.5.9.0 (and earlier) is affected by a improper certificate validation vulnerability in the cold storage component. If an attacker can achieve a man in the middle when the cold server establishes a new certificate, they would be able to harvest sensitive information. | |||||
| CVE-2021-38864 | 1 Ibm | 1 Security Verify Bridge | 2021-09-29 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Security Verify Bridge 1.0.5.0 could allow a user to obtain sensitive information due to improper certificate validation. IBM X-Force ID: 208155. | |||||
| CVE-2021-20435 | 1 Ibm | 1 Security Verify Bridge | 2021-09-29 | 2.1 LOW | 5.5 MEDIUM |
| IBM Security Verify Bridge 1.0.5.0 does not properly validate a certificate which could allow a local attacker to obtain sensitive information that could aid in further attacks against the system. IBM X-Force ID: 196355. | |||||
| CVE-2021-33695 | 1 Sap | 1 Cloud Connector | 2021-09-28 | 6.4 MEDIUM | 9.1 CRITICAL |
| Potentially, SAP Cloud Connector, version - 2.0 communication with the backend is accepted without sufficient validation of the certificate. | |||||
| CVE-2020-11580 | 4 Apple, Linux, Oracle and 1 more | 5 Macos, Linux Kernel, Solaris and 2 more | 2021-09-16 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, accepts an arbitrary SSL certificate. | |||||