Vulnerabilities (CVE)

Filtered by CWE-295
Total 1039 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2015-7778 1 Gurunavi 1 Gournavi 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
Gurunavi App for iOS before 6.0.0 does not verify SSL certificates which could allow remote attackers to perform man-in-the-middle attacks.
CVE-2015-2320 2 Debian, Mono-project 2 Debian Linux, Mono 2024-02-28 7.5 HIGH 9.8 CRITICAL
The TLS stack in Mono before 3.12.1 allows remote attackers to have unspecified impact via vectors related to client-side SSLv2 fallback.
CVE-2014-3451 1 Igniterealtime 1 Openfire 2024-02-28 5.0 MEDIUM 7.5 HIGH
OpenFire XMPP Server before 3.10 accepts self-signed certificates, which allows remote attackers to perform unspecified spoofing attacks.
CVE-2017-9758 1 Savitech-ic 1 Savitech Driver 2024-02-28 5.8 MEDIUM 7.4 HIGH
Savitech driver packages for Windows silently install a self-signed certificate into the Trusted Root Certification Authorities store, aka "Inaudible Subversion."
CVE-2014-3250 3 Apache, Puppet, Redhat 3 Http Server, Puppet, Linux 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
The default vhost configuration file in Puppet before 3.6.2 does not include the SSLCARevocationCheck directive, which might allow remote attackers to obtain sensitive information via a revoked certificate when a Puppet master runs with Apache 2.4.
CVE-2017-1000209 1 Nv-websocket-client Project 1 Nv-websocket-client 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
The Java WebSocket client nv-websocket-client does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL/TLS servers via an arbitrary valid certificate.
CVE-2015-5639 1 Dwango 1 Niconico 2024-02-28 5.8 MEDIUM 7.4 HIGH
niconico App for iOS before 6.38 does not verify SSL certificates which could allow remote attackers to execute man-in-the-middle attacks.
CVE-2015-6358 1 Cisco 48 Pvc2300, Pvc2300 Firmware, Rtp300 and 45 more 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
Multiple Cisco embedded devices use hardcoded X.509 certificates and SSH host keys embedded in the firmware, which allows remote attackers to defeat cryptographic protection mechanisms and conduct man-in-the-middle attacks by leveraging knowledge of these certificates and keys from another installation, aka Bug IDs CSCuw46610, CSCuw46620, CSCuw46637, CSCuw46654, CSCuw46665, CSCuw46672, CSCuw46677, CSCuw46682, CSCuw46705, CSCuw46716, CSCuw46979, CSCuw47005, CSCuw47028, CSCuw47040, CSCuw47048, CSCuw47061, CSCuw90860, CSCuw90869, CSCuw90875, CSCuw90881, CSCuw90899, and CSCuw90913.
CVE-2017-7971 1 Schneider-electric 3 Citect Anywhere, Powerscada Anywhere, Powerscada Expert 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
A vulnerability exists in Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 that allows the use of outdated cipher suites and improper verification of peer SSL Certificate.
CVE-2015-2318 2 Debian, Mono-project 2 Debian Linux, Mono 2024-02-28 6.8 MEDIUM 8.1 HIGH
The TLS stack in Mono before 3.12.1 allows man-in-the-middle attackers to conduct message skipping attacks and consequently impersonate clients by leveraging missing handshake state validation, aka a "SMACK SKIP-TLS" issue.
CVE-2014-2845 2 Cyberduck, Microsoft 2 Cyberduck, Windows 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
Cyberduck before 4.4.4 on Windows does not properly validate X.509 certificate chains, which allows man-in-the-middle attackers to spoof FTP-SSL servers via a certificate issued by an arbitrary root Certification Authority.
CVE-2017-12228 1 Cisco 2 Ios, Ios Xe 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
A vulnerability in the Cisco Network Plug and Play application of Cisco IOS 12.4 through 15.6 and Cisco IOS XE 3.3 through 16.4 could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data by using an invalid certificate. The vulnerability is due to insufficient certificate validation by the affected software. An attacker could exploit this vulnerability by supplying a crafted certificate to an affected device. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt confidential information on user connections to the affected software. Cisco Bug IDs: CSCvc33171.
CVE-2017-6594 2 Heimdal Project, Opensuse 2 Heimdal, Leap 2024-02-28 5.0 MEDIUM 7.5 HIGH
The transit path validation code in Heimdal before 7.3 might allow attackers to bypass the capath policy protection mechanism by leveraging failure to add the previous hop realm to the transit path of issued tickets.
CVE-2017-10620 1 Juniper 21 Junos, Srx100, Srx110 and 18 more 2024-02-28 5.8 MEDIUM 7.4 HIGH
Juniper Networks Junos OS on SRX series devices do not verify the HTTPS server certificate before downloading anti-virus updates. This may allow a man-in-the-middle attacker to inject bogus signatures to cause service disruptions or make the device not detect certain types of attacks. Affected Junos OS releases are: 12.1X46 prior to 12.1X46-D71; 12.3X48 prior to 12.3X48-D55; 15.1X49 prior to 15.1X49-D110;
CVE-2015-2943 1 Honda 1 Moto Linc 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
Honda Moto LINC 1.6.1 does not verify SSL certificates.
CVE-2018-5258 1 Banconeon 1 Neon 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
The Neon app 1.6.14 iOS does not verify X.509 certificates from SSL servers, which allows remote attackers to spoof servers and obtain sensitive information via a crafted certificate.
CVE-2015-2981 1 Yodobashi 1 Yodobashi 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
The Yodobashi App for Android 1.2.1.0 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
CVE-2015-2988 1 Rakutencard 1 Rakuten Card 2024-02-28 4.0 MEDIUM 7.4 HIGH
Rakuten card App for iOS 5.2.0 through 5.2.4 does not verify SSL certificates which might allow remote attackers to execute man-in-the-middle attacks.
CVE-2016-10511 1 Twitter 1 Twitter 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
The Twitter iOS client versions 6.62 and 6.62.1 fail to validate Twitter's server certificates for the /1.1/help/settings.json configuration endpoint, permitting man-in-the-middle attackers the ability to view an application-only OAuth client token and potentially enable unreleased Twitter iOS app features.