Total
1005 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-36127 | 1 Paxtechnology | 1 Paxstore | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by an information disclosure vulnerability. Through the PUK signature functionality, an administrator will not have access to the current p12 certificate and password. When accessing this functionality, the administrator has the option to replace the current certificate and it is not possible to view the certificate password (p12) already deployed on the platform. The replacement p12 certificate returns to users in base64 with its password, which can be accessed by non-administrator users. | |||||
CVE-2021-22511 | 1 Microfocus | 1 Application Automation Tools | 2024-02-28 | 6.4 MEDIUM | 6.5 MEDIUM |
Improper Certificate Validation vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow unconditionally disabling of SSL/TLS certificates. | |||||
CVE-2021-35193 | 1 Pattersondental | 1 Eaglesoft | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Patterson Application Service in Patterson Eaglesoft 18 through 21 accepts the same certificate authentication across different customers' installations (that have the same software version). This provides remote access to SQL database credentials. (In the normal use of the product, retrieving those credentials only occurs after a username/password authentication step; however, this authentication step is on the client side, and an attacker can develop their own client that skips this step.) | |||||
CVE-2021-39360 | 2 Fedoraproject, Gnome | 2 Fedora, Libzapojit | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
In GNOME libzapojit through 0.0.3, zpj-skydrive.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011. | |||||
CVE-2021-39358 | 2 Fedoraproject, Gnome | 2 Fedora, Libgfbgraph | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
In GNOME libgfbgraph through 0.2.4, gfbgraph-photo.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011. | |||||
CVE-2021-36377 | 2 Fedoraproject, Fossil-scm | 2 Fedora, Fossil | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Fossil before 2.14.2 and 2.15.x before 2.15.2 often skips the hostname check during TLS certificate validation. | |||||
CVE-2021-32581 | 1 Acronis | 3 Cyber Protect Cloud, Cyber Protection Agent, True Image | 2024-02-28 | 5.8 MEDIUM | 8.1 HIGH |
Acronis True Image prior to 2021 Update 4 for Windows, Acronis True Image prior to 2021 Update 5 for Mac, Acronis Agent prior to build 26653, Acronis Cyber Protect prior to build 27009 did not implement SSL certificate validation. | |||||
CVE-2020-36478 | 3 Arm, Debian, Siemens | 14 Mbed Tls, Debian Linux, Logo\! Cmr2020 and 11 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). A NULL algorithm parameters entry looks identical to an array of REAL (size zero) and thus the certificate is considered valid. However, if the parameters do not match in any way, then the certificate should be considered invalid. | |||||
CVE-2021-20695 | 1 Dlink | 2 Dap-1880ac, Dap-1880ac Firmware | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
Improper following of a certificate's chain of trust vulnerability in DAP-1880AC firmware version 1.21 and earlier allows a remote authenticated attacker to gain root privileges via unspecified vectors. | |||||
CVE-2021-21374 | 1 Nim-lang | 1 Nim | 2024-02-28 | 6.8 MEDIUM | 8.1 HIGH |
Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution. | |||||
CVE-2021-22218 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 4.0 MEDIUM | 2.6 LOW |
All versions of GitLab CE/EE starting from 12.8 before 13.10.5, all versions starting from 13.11 before 13.11.5, and all versions starting from 13.12 before 13.12.2 were affected by an issue in the handling of x509 certificates that could be used to spoof author of signed commits. | |||||
CVE-2020-12681 | 1 3xlogic | 2 Infinias Eidc32, Infinias Eidc32 Firmware | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Missing TLS certificate validation on 3xLogic Infinias eIDC32 devices through 3.4.125 allows an attacker to intercept/control the channel by which door lock policies are applied. | |||||
CVE-2021-21559 | 1 Dell | 1 Emc Networker | 2024-02-28 | 2.9 LOW | 5.3 MEDIUM |
Dell EMC NetWorker, versions 18.x, 19.1.x, 19.2.x 19.3.x, 19.4, and 19.4.0.1 contain an Improper Certificate Validation vulnerability in the client (NetWorker Management Console) components which uses SSL encrypted connection in order to communicate with the application server. An unauthenticated attacker in the same network collision domain as the NetWorker Management Console client could potentially exploit this vulnerability to perform man-in-the-middle attacks to intercept and tamper the traffic between the client and the application server. | |||||
CVE-2020-15732 | 1 Bitdefender | 3 Antivirus Plus, Internet Security, Total Security | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Improper Certificate Validation vulnerability in the Online Threat Prevention module as used in Bitdefender Total Security allows an attacker to potentially bypass HTTP Strict Transport Security (HSTS) checks. This issue affects: Bitdefender Total Security versions prior to 25.0.7.29. Bitdefender Internet Security versions prior to 25.0.7.29. Bitdefender Antivirus Plus versions prior to 25.0.7.29. | |||||
CVE-2021-22895 | 2 Debian, Nextcloud | 2 Debian Linux, Desktop | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the "Register with a Provider" flow. | |||||
CVE-2021-31597 | 1 Xmlhttprequest-ssl Project | 1 Xmlhttprequest-ssl | 2024-02-28 | 7.5 HIGH | 9.4 CRITICAL |
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected. | |||||
CVE-2021-32919 | 3 Debian, Fedoraproject, Prosody | 3 Debian Linux, Fedora, Prosody | 2024-02-28 | 4.3 MEDIUM | 7.5 HIGH |
An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another server (when this option is enabled). | |||||
CVE-2021-39359 | 2 Fedoraproject, Gnome | 2 Fedora, Libgda | 2024-02-28 | 4.3 MEDIUM | 5.9 MEDIUM |
In GNOME libgda through 6.0.0, gda-web-provider.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011. | |||||
CVE-2016-20011 | 1 Gnome | 1 Libgrss | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
libgrss through 0.7.0 fails to perform TLS certificate verification when downloading feeds, allowing remote attackers to manipulate the contents of feeds without detection. This occurs because of the default behavior of SoupSessionSync. | |||||
CVE-2021-1134 | 1 Cisco | 1 Dna Center | 2024-02-28 | 5.8 MEDIUM | 7.4 HIGH |
A vulnerability in the Cisco Identity Services Engine (ISE) integration feature of the Cisco DNA Center Software could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data. The vulnerability is due to an incomplete validation of the X.509 certificate used when establishing a connection between DNA Center and an ISE server. An attacker could exploit this vulnerability by supplying a crafted certificate and could then intercept communications between the ISE and DNA Center. A successful exploit could allow the attacker to view and alter sensitive information that the ISE maintains about clients that are connected to the network. |