Total
1215 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-27440 | 2024-11-21 | 4.8 Medium | ||
| The Toyoko Inn official App for iOS versions prior to 1.13.0 and Toyoko Inn official App for Android versions prior 1.3.14 don't properly verify server certificates, which allows a man-in-the-middle attacker to spoof servers and obtain sensitive information via a crafted certificate. | ||||
| CVE-2024-25140 | 2 Microsoft, Rustdesk | 2 Windows, Rustdesk | 2024-11-21 | 9.8 Critical |
| A default installation of RustDesk 1.2.3 on Windows places a WDKTestCert certificate under Trusted Root Certification Authorities with Enhanced Key Usage of Code Signing (1.3.6.1.5.5.7.3.3), valid from 2023 until 2033. This is potentially unwanted, e.g., because there is no public documentation of security measures for the private key, and arbitrary software could be signed if the private key were to be compromised. NOTE: the vendor's position is "we do not have EV cert, so we use test cert as a workaround." Insertion into Trusted Root Certification Authorities was the originally intended behavior, and the UI ensured that the certificate installation step (checked by default) was visible to the user before proceeding with the product installation. | ||||
| CVE-2024-25053 | 1 Ibm | 1 Cognos Analytics | 2024-11-21 | 5.9 Medium |
| IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, and 12.0.2 is vulnerable to improper certificate validation when using the IBM Planning Analytics Data Source Connection. This could allow an attacker to spoof a trusted entity by interfering in the communication path between IBM Planning Analytics server and IBM Cognos Analytics server. IBM X-Force ID: 283364. | ||||
| CVE-2024-1052 | 1 Hashicorp | 1 Boundary | 2024-11-21 | 8 High |
| Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application. | ||||
| CVE-2023-6680 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 7.4 High |
| An improper certificate validation issue in Smartcard authentication in GitLab EE affecting all versions from 11.6 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows an attacker to authenticate as another user given their public key if they use Smartcard authentication. Smartcard authentication is an experimental feature and has to be manually enabled by an administrator. | ||||
| CVE-2023-5909 | 4 Ge, Ptc, Rockwellautomation and 1 more | 8 Industrial Gateway Server, Keepserverex, Opc-aggregator and 5 more | 2024-11-21 | 7.5 High |
| KEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect. | ||||
| CVE-2023-5594 | 1 Eset | 9 Endpoint Antivirus, Endpoint Security, File Security and 6 more | 2024-11-21 | 7.5 High |
| Improper validation of the server’s certificate chain in secure traffic scanning feature considered intermediate certificate signed using the MD5 or SHA1 algorithm as trusted. | ||||
| CVE-2023-5554 | 1 Linecorp | 1 Line | 2024-11-21 | 4.8 Medium |
| Lack of TLS certificate verification in log transmission of a financial module within LINE Client for iOS prior to 13.16.0. | ||||
| CVE-2023-5422 | 1 Otrs | 1 Otrs | 2024-11-21 | 8.7 High |
| The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS based communication. As the SSL_get_verify_result() function is not used the certificated is trusted always and it can not be ensured that the certificate satisfies all necessary security requirements. This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if the certificate is properly validated. This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34. | ||||
| CVE-2023-51662 | 1 Snowflake | 1 Snowflake Connector | 2024-11-21 | 6 Medium |
| The Snowflake .NET driver provides an interface to the Microsoft .NET open source software framework for developing applications. Snowflake recently received a report about a vulnerability in the Snowflake Connector .NET where the checks against the Certificate Revocation List (CRL) were not performed where the insecureMode flag was set to false, which is the default setting. The vulnerability affects versions between 2.0.25 and 2.1.4 (inclusive). Snowflake fixed the issue in version 2.1.5. | ||||
| CVE-2023-50949 | 2024-11-21 | 5.9 Medium | ||
| IBM QRadar SIEM 7.5 could allow an unauthorized user to perform unauthorized actions due to improper certificate validation. IBM X-Force ID: 275706. | ||||
| CVE-2023-50454 | 1 Zammad | 1 Zammad | 2024-11-21 | 5.9 Medium |
| An issue was discovered in Zammad before 6.2.0. In several subsystems, SSL/TLS was used to establish connections to external services without proper validation of hostname and certificate authority. This is exploitable by man-in-the-middle attackers. | ||||
| CVE-2023-50179 | 1 Fortinet | 1 Fortiadc | 2024-11-21 | 4.7 Medium |
| An improper certificate validation vulnerability [CWE-295] in FortiADC 7.4.0, 7.2 all versions, 7.1 all versions, 7.0 all versions may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the device and public SDN connectors. | ||||
| CVE-2023-50178 | 1 Fortinet | 1 Fortiadc | 2024-11-21 | 7.2 High |
| An improper certificate validation vulnerability [CWE-295] in FortiADC 7.4.0, 7.2.0 through 7.2.3, 7.1 all versions, 7.0 all versions, 6.2 all versions, 6.1 all versions and 6.0 all versions may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the device and various remote servers such as private SDN connectors and FortiToken Cloud. | ||||
| CVE-2023-4801 | 1 Proofpoint | 1 Insider Threat Management | 2024-11-21 | 7.5 High |
| An improper certification validation vulnerability in the Insider Threat Management (ITM) Agent for MacOS could be used by an anonymous actor on an adjacent network to establish a man-in-the-middle position between the agent and the ITM server after the agent has registered. All versions prior to 7.14.3.69 are affected. Agents for Windows, Linux, and Cloud are unaffected. | ||||
| CVE-2023-4499 | 1 Hp | 20 Elite Mt645, Mt21, Mt22 and 17 more | 2024-11-21 | 7.5 High |
| A potential security vulnerability has been identified in the HP ThinUpdate utility (also known as HP Recovery Image and Software Download Tool) which may lead to information disclosure. HP is releasing mitigation for the potential vulnerability. | ||||
| CVE-2023-49312 | 1 Precisionbridge | 1 Precision Bridge | 2024-11-21 | 9.1 Critical |
| Precision Bridge PrecisionBridge.exe (aka the thick client) before 7.3.21 allows an integrity violation in which the same license key is used on multiple systems, via vectors involving a Process Hacker memory dump, error message inspection, and modification of a MAC address. | ||||
| CVE-2023-49247 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | 7.5 High |
| Permission verification vulnerability in distributed scenarios. Successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2023-48054 | 1 Localstack | 1 Localstack | 2024-11-21 | 7.4 High |
| Missing SSL certificate validation in localstack v2.3.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack. | ||||
| CVE-2023-48052 | 1 Httpie | 1 Httpie | 2024-11-21 | 7.4 High |
| Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack. | ||||