CVE Daily
← All tags

Tag: Mitm

All CVEs associated with "Mitm". Page 12/32 • 3811 CVEs.

Subscribe CVEs: RSS for “Mitm”  ·  RSS (High+Critical only)

About “Mitm”

A curated feed of “Mitm”-related CVEs appears below. We currently track 3811 CVEs for this tag (all time). In the last 365 days, 220 were published. Average CVSS is 6.1 (all time; 6.6 over 365d), and 25% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-295 - Improper Certificate Validation, CWE-319 - Cleartext Transmission of Sensitive Information, CWE-297 - Improper Validation of Certificate with Host Mismatch.

In our taxonomy this topic maps to a MODERATE impact class. Common exploitation patterns for this weakness can lead to moderate. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2018-04-24
High

CVE-2017-2835

An exploitable code execution vulnerability exists in the RDP receive functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting in…

CVSS: 8.1 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2017-2834

An exploitable code execution vulnerability exists in the authentication functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server response can cause an out-of-bounds write resulting…

CVSS: 7.0 CWE: CWE-787 - Out-of-bounds Write View on NVD
2018-04-20
High

CVE-2017-2825

In the trapper functionality of Zabbix Server 2.4.x, specifically crafted trapper packets can pass database logic checks, resulting in database writes. An attacker can set up a Man-in-the-Middle serv…

CVSS: 7.0 CWE: N/A View on NVD
Medium

CVE-2014-6108

IBM Tivoli Identity Manager 5.1.x before 5.1.0.15-ISS-TIM-IF0057 and Security Identity Manager 6.0.x before 6.0.0.4-ISS-SIM-IF0001 and 7.0.x before 7.0.0.0-ISS-SIM-IF0003 might allow man-in-the-middl…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2018-04-18
Medium

CVE-2018-1000159

tlslite-ng version 0.7.3 and earlier, since commit d7b288316bca7bcdd082e6ccff5491e241305233 contains a CWE-354: Improper Validation of Integrity Check Value vulnerability in TLS implementation, tlsli…

CVSS: 5.9 CWE: CWE-354 - Improper Validation of Integrity Check Value View on NVD
Medium

CVE-2017-12196

undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matc…

CVSS: 4.8 CWE: CWE-287 - Improper Authentication View on NVD
2018-04-12
Medium

CVE-2015-1777

rhnreg_ks in Red Hat Network Client Tools (aka rhn-client-tools) on Red Hat Gluster Storage 2.1 and Enterprise Linux (RHEL) 5, 6, and 7 does not properly validate hostnames in X.509 certificates from…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2018-04-11
Medium

CVE-2017-8154

The Themes App Honor 8 Lite Huawei mobile phones with software of versions before Prague-L31C576B172, versions before Prague-L31C530B160, versions before Prague-L31C432B180 has a man-in-the-middle (M…

CVSS: 5.3 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2018-04-10
Medium

CVE-2015-1957

IBM WebSphere MQ 7.5.x before 7.5.0.6 and 8.0.x before 8.0.0.3 allows remote authenticated users to obtain sensitive information via a man-in-the-middle attack, related to duplication of message data…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2018-04-09
High

CVE-2018-0553

The iRemoconWiFi App for Android version 4.1.7 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive informat…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2018-04-05
Medium

CVE-2018-1000151

A man in the middle vulnerability exists in Jenkins vSphere Plugin 2.16 and older in VSphere.java that disables SSL/TLS certificate validation by default.

CVSS: 5.6 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2018-1000149

A man in the middle vulnerability exists in Jenkins Ansible Plugin 0.8 and older in AbstractAnsibleInvocation.java, AnsibleAdHocCommandBuilder.java, AnsibleAdHocCommandInvocationTest.java, AnsibleCon…

CVSS: 5.6 CWE: N/A View on NVD
2018-04-04
High

CVE-2017-3969

Abuse of communication channels vulnerability in the server in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows man-in-the-middle attackers to decrypt messages via an inadequate impl…

CVSS: 8.2 CWE: CWE-417 View on NVD
2018-04-03
Medium

CVE-2018-4174

An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. The issue involves the "Mail" component. It allows man-in-the-middle attackers to rea…

CVSS: 5.9 CWE: N/A View on NVD
Medium

CVE-2018-4111

An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "Mail" component. It allows man-in-the-middle attackers to read S/MIME encrypted message co…

CVSS: 5.9 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
Medium

CVE-2017-7164

An issue was discovered in certain Apple products. iOS before 11.2 is affected. tvOS before 11.2 is affected. The issue involves the "App Store" component. It allows man-in-the-middle attackers to sp…

CVSS: 5.9 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2017-13863

An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "APNs" component. It allows man-in-the-middle attackers to track users by leveraging the transmiss…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2018-03-29
Medium

CVE-2015-4953

IBM BigFix Remote Control before Interim Fix pack 9.1.2-TIV-IBRC912-IF0001 makes it easier for man-in-the-middle attackers to decrypt traffic by leveraging a weakness in its encryption protocol. IBM…

CVSS: 4.8 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
2018-03-26
Medium

CVE-2018-1348

NetIQ Identity Manager driver, in versions prior to 4.7, allows for an SSL handshake renegotiation which could result in a MITM attack.

CVSS: 5.3 CWE: N/A View on NVD
2018-03-24
High

CVE-2018-8970

The int_x509_param_set_hosts function in lib/libcrypto/x509/x509_vpm.c in LibreSSL 2.7.0 before 2.7.1 does not support a certain special case of a zero name length, which causes silent omission of ho…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2018-03-15
High

CVE-2018-6221

An unvalidated software update vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow a man-in-the-middle attacker to tamper with an update file and inject their own.

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2018-03-13
High

CVE-2018-1000096

brianleroux tiny-json-http version all versions since commit 9b8e74a232bba4701844e07bcba794173b0238a8 (Oct 29 2016) contains a Missing SSL certificate validation vulnerability in The libraries core f…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2018-03-12
High

CVE-2016-9952

The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, makes it easier for remote attackers to conduct man-…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2017-2667

Hammer CLI, a CLI utility for Foreman, before version 0.10.0, did not explicitly set the verify_ssl flag for apipie-bindings that disable it by default. As a result the server certificates are not ch…

CVSS: 8.1 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2018-03-09
Low

CVE-2017-17325

Huawei video applications HiCinema with software of 8.0.3.308; 8.0.4.300 have a permission control vulnerability. Due to improper verification of specific interface, an attacker who is on the same ne…

CVSS: 3.7 CWE: N/A View on NVD
2018-03-06
Medium

CVE-2018-5471

A Cleartext Transmission of Sensitive Information issue was discovered in Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches. A cleartext transmiss…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Medium

CVE-2018-5461

An Inadequate Encryption Strength issue was discovered in Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches. An inadequate encryption strength vul…

CVSS: 6.5 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
Medium

CVE-2018-6019

Samsung Display Solutions App before 3.02 for Android allows man-in-the-middle attackers to spoof B2B content by leveraging failure to use encryption during information transmission.

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2018-03-01
High

CVE-2017-7436

In libzypp before 20170803 it was possible to retrieve unsigned packages without a warning to the user which could lead to man in the middle or malicious servers to inject malicious RPM packages into…

CVSS: 8.1 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2017-7435

In libzypp before 20170803 it was possible to add unsigned YUM repositories without warning to the user that could lead to man in the middle or malicious servers to inject malicious RPM packages into…

CVSS: 8.1 CWE: CWE-20 - Improper Input Validation View on NVD
2018-02-23
Medium

CVE-2018-0518

LINE for iOS version 7.1.3 to 7.1.5 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certi…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2018-02-20
Medium

CVE-2017-17455

Mahara 16.10 before 16.10.7, 17.04 before 17.04.5, and 17.10 before 17.10.2 are vulnerable to being forced, via a man-in-the-middle attack, to interact with Mahara on the HTTP protocol rather than HT…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2017-10963

In Knox SDS IAM (Identity Access Management) and EMM (Enterprise Mobility Management) 16.11 on Samsung mobile devices, a man-in-the-middle attacker can install any application into the Knox container…

CVSS: 5.9 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2018-02-18
High

CVE-2018-7211

An issue was discovered in iDashboards 9.6b. The SSO implementation is affected by a weak obfuscation library, allowing man-in-the-middle attackers to discover credentials.

CVSS: 8.1 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2018-02-15
Medium

CVE-2017-12721

An Improper Certificate Validation issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. The pump does not validate host certificates, leavi…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2018-02-14
High

CVE-2018-7032

webcheckout in myrepos through 1.20171231 does not sanitize URLs that are passed to git clone, allowing a malicious website operator or a MitM attacker to take advantage of it for arbitrary code exec…

CVSS: 7.5 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2018-02-12
Medium

CVE-2017-9968

A security misconfiguration vulnerability exists in Schneider Electric's IGSS Mobile application versions 3.01 and prior in which a lack of certificate pinning during the TLS/SSL connection establish…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2018-02-09
Medium

CVE-2018-1000021

GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be explo…

CVSS: 5.0 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2018-6827

VOBOT CLOCK before 0.99.30 devices do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information, and consequently exec…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2018-6826

An issue was discovered on VOBOT CLOCK before 0.99.30 devices. Cleartext HTTP is used to download a breakout program, and therefore man-in-the-middle attackers can execute arbitrary code by watching…

CVSS: 7.5 CWE: N/A View on NVD
2018-02-02
High

CVE-2018-5261

An issue was discovered in Flexense DiskBoss 8.8.16 and earlier. Due to the usage of plaintext information from the handshake as input for the encryption key used for the encryption of the rest of th…

CVSS: 8.1 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2018-02-01
High

CVE-2017-3160

After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI…

CVSS: 7.4 CWE: N/A View on NVD
2018-01-31
Medium

CVE-2017-1773

IBM DataPower Gateways 7.1, 7,2, 7.5, and 7.6 could allow an attacker using man-in-the-middle techniques to spoof DNS responses to perform DNS cache poisoning and redirect Internet traffic. IBM X-For…

CVSS: 4.0 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2018-01-26
Medium

CVE-2017-1000402

Jenkins Swarm Plugin Client 3.4 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible…

CVSS: 5.9 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2017-1000397

Jenkins Maven Plugin 2.17 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man…

CVSS: 5.9 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2017-1000396

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2018-01-23
Medium

CVE-2017-15090

An issue has been found in the DNSSEC validation component of PowerDNS Recursor from 4.0.0 and up to and including 4.0.6, where the signatures might have been accepted as valid even if the signed dat…

CVSS: 5.9 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
2018-01-22
Low

CVE-2018-1000003

Improper input validation bugs in DNSSEC validators components in PowerDNS version 4.1.0 allow attacker in man-in-the-middle position to deny existence of some data in DNS via packet replay.

CVSS: 3.7 CWE: CWE-20 - Improper Input Validation View on NVD
Low

CVE-2018-1000002

Improper input validation bugs in DNSSEC validators components in Knot Resolver (prior version 1.5.2) allow attacker in man-in-the-middle position to deny existence of some data in DNS via packet rep…

CVSS: 3.7 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2018-5761

A man-in-the-middle vulnerability related to vCenter access was found in Rubrik CDM 3.x and 4.x before 4.0.4-p2. This vulnerability might expose Rubrik user credentials configured to access vCenter a…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2018-01-12
Medium

CVE-2015-2981

The Yodobashi App for Android 1.2.1.0 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2018-01-09
Medium

CVE-2017-12697

A Man-in-the-Middle issue was discovered in General Motors (GM) and Shanghai OnStar (SOS) SOS iOS Client 7.1. Successful exploitation of this vulnerability may allow an attacker to intercept sensitiv…

CVSS: 5.9 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
2018-01-08
High

CVE-2015-2318

The TLS stack in Mono before 3.12.1 allows man-in-the-middle attackers to conduct message skipping attacks and consequently impersonate clients by leveraging missing handshake state validation, aka a…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2014-3607

DefaultHostnameVerifier in Ldaptive (formerly vt-ldap) does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2018-01-05
High

CVE-2017-16905

The DuoLingo TinyCards application before 1.0 for Android has one use of unencrypted HTTP, which allows remote attackers to spoof content, and consequently achieve remote code execution, via a man-in…

CVSS: 8.1 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2017-12-26
Medium

CVE-2017-12740

Siemens LOGO! Soft Comfort (All versions before V8.2) lacks integrity verification of software packages downloaded via an unprotected communication channel. This could allow a remote attacker to mani…

CVSS: 5.9 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
2017-12-25
Medium

CVE-2017-13864

An issue was discovered in certain Apple products. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected. The issue involves the "APNs Server" component. It allows man…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2017-13860

An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. The issue involves the "Mail Drafts" component. It allows man-in-the-middle attackers…

CVSS: 5.9 CWE: N/A View on NVD
2017-12-20
High

CVE-2017-1694

IBM Integration Bus 9.0 and 10.0 transmits user credentials in plain in clear text which can be read by an attacker using man in the middle techniques. IBM X-Force ID: 134165.

CVSS: 8.1 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2017-12-16
High

CVE-2017-3194

Pandora iOS app prior to version 8.3.2 fails to properly validate SSL certificates provided by HTTPS connections, which may enable an attacker to conduct man-in-the-middle (MITM) attacks.

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2017-3190

Flash Seats Mobile App for Android version 1.7.9 and earlier and for iOS version 1.9.51 and earlier fails to properly validate SSL certificates provided by HTTPS connections, which may enable an atta…

CVSS: 7.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-12-13
High

CVE-2017-14361

Man-In-The-Middle vulnerability in Micro Focus Project and Portfolio Management Center, version 9.32. This vulnerability could be exploited to allow a Man-in-the-middle attack.

CVSS: 7.4 CWE: N/A View on NVD
2017-12-05
Medium

CVE-2016-1252

The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 bef…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-12-01
High

CVE-2017-10874

PWR-Q200 does not use random values for source ports of DNS query packets, which allows remote attackers to conduct DNS cache poisoning attacks.

CVSS: 7.5 CWE: CWE-330 - Use of Insufficiently Random Values View on NVD
2017-11-22
Low

CVE-2017-2739

The upgrade package of Huawei Vmall APP Earlier than HwVmall 1.5.3.0 versions is transferred through HTTP. A man in the middle (MITM) can tamper with the upgrade package of Huawei Vmall APP, and to i…

CVSS: 3.1 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
2017-11-21
High

CVE-2017-5729

Frame replay vulnerability in Wi-Fi subsystem in Intel Dual-Band and Tri-Band Wireless-AC Products allows remote attacker to replay frames via channel-based man-in-the-middle.

CVSS: 7.4 CWE: N/A View on NVD
2017-11-17
High

CVE-2017-6168

On BIG-IP versions 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 HF1 (fixed in 12.1.2 HF2), or 13.0.0-13.0.0 HF2 (fixed in 13.0.0 HF3) a virtual server configured with a Client SSL profile may b…

CVSS: 7.4 CWE: CWE-203 - Observable Discrepancy View on NVD
Medium

CVE-2017-1000209

The Java WebSocket client nv-websocket-client does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-11-15
Medium

CVE-2014-2845

Cyberduck before 4.4.4 on Windows does not properly validate X.509 certificate chains, which allows man-in-the-middle attackers to spoof FTP-SSL servers via a certificate issued by an arbitrary root…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-11-13
Medium

CVE-2017-1229

IBM Tivoli Endpoint Manager (IBM BigFix 9.2 and 9.5) could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacke…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-11-01
Critical

CVE-2017-14021

A Use of Hard-coded Cryptographic Key issue was discovered in Korenix JetNet JetNet5018G version 1.4, JetNet5310G version 1.4a, JetNet5428G-2G-2FX version 1.4, JetNet5628G-R version 1.4, JetNet5628G…

CVSS: 9.8 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
2017-10-31
Medium

CVE-2017-3934

Missing HTTP Strict Transport Security state information vulnerability in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x allows man-in-the-middle attackers to expose confidential data…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-10-26
Low

CVE-2017-1228

IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable the secure cookie attribute. An a…

CVSS: 3.7 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-10-24
Medium

CVE-2013-3734

The Embedded Jopr component in JBoss Application Server includes the cleartext datasource password in unspecified HTML responses, which might allow (1) man-in-the-middle attackers to obtain sensitive…

CVSS: 6.6 CWE: CWE-255 View on NVD
2017-10-23
Medium

CVE-2011-2683

reseed seeds random numbers from an insecure HTTP request to random.org during installation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a man-in-the-…

CVSS: 5.9 CWE: CWE-254 View on NVD
2017-10-20
High

CVE-2017-13127

The VIP.com application for IOS and Android allows remote attackers to obtain sensitive information and hijack the authentication of users via a rogue access point and a man-in-the-middle attack.

CVSS: 8.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2017-6144

In F5 BIG-IP PEM 12.1.0 through 12.1.2 when downloading the Type Allocation Code (TAC) database file via HTTPS, the server's certificate is not verified. Attackers in a privileged network position ma…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-10-19
High

CVE-2017-15643

An active network attacker (MiTM) can achieve remote code execution on a machine that runs IKARUS Anti Virus 2.16.7. IKARUS AV for Windows uses cleartext HTTP for updates along with a CRC32 checksum…

CVSS: 7.4 CWE: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') View on NVD
2017-10-18
Medium

CVE-2014-7242

The SumaHo application 3.0.0 and earlier for Android and the SumaHo "driving capability" diagnosis result transmission application 1.2.2 and earlier for Android allow man-in-the-middle attackers to s…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2014-3706

ovirt-engine, as used in Red Hat MRG 3, allows man-in-the-middle attackers to spoof servers by leveraging failure to verify key attributes in vdsm X.509 certificates.

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-10-17
High

CVE-2017-3760

The Lenovo Service Framework Android application uses a set of nonsecure credentials when performing integrity verification of downloaded applications and/or data. This exposes the application to man…

CVSS: 8.1 CWE: CWE-354 - Improper Validation of Integrity Check Value View on NVD
High

CVE-2017-3759

The Lenovo Service Framework Android application accepts some responses from the server without proper validation. This exposes the application to man-in-the-middle attacks leading to possible remote…

CVSS: 8.1 CWE: CWE-20 - Improper Input Validation View on NVD
2017-10-16
Medium

CVE-2015-3229

fedora-cloud-atomic.ks in spin-kickstarts allows remote attackers to conduct man-in-the-middle attacks by leveraging use of HTTP to download Fedora Atomic updates.

CVSS: 5.9 CWE: CWE-264 View on NVD
2017-10-13
High

CVE-2017-10624

Insufficient verification of node certificates in Juniper Networks Junos Space may allow a man-in-the-middle type of attacker to make unauthorized modifications to Space database or add nodes. Affect…

CVSS: 7.5 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
High

CVE-2017-10623

Lack of authentication and authorization of cluster messages in Juniper Networks Junos Space may allow a man-in-the-middle type of attacker to intercept, inject or disrupt Junos Space cluster operati…

CVSS: 7.1 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2017-10620

Juniper Networks Junos OS on SRX series devices do not verify the HTTPS server certificate before downloading anti-virus updates. This may allow a man-in-the-middle attacker to inject bogus signature…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-10-12
Medium

CVE-2015-6358

Multiple Cisco embedded devices use hardcoded X.509 certificates and SSH host keys embedded in the firmware, which allows remote attackers to defeat cryptographic protection mechanisms and conduct ma…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-10-10
Medium

CVE-2015-7778

Gurunavi App for iOS before 6.0.0 does not verify SSL certificates which could allow remote attackers to perform man-in-the-middle attacks.

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2015-5639

niconico App for iOS before 6.38 does not verify SSL certificates which could allow remote attackers to execute man-in-the-middle attacks.

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2015-2988

Rakuten card App for iOS 5.2.0 through 5.2.4 does not verify SSL certificates which might allow remote attackers to execute man-in-the-middle attacks.

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-10-06
Medium

CVE-2015-1828

The Ruby http gem before 0.7.3 does not verify hostnames in SSL connections, which might allow remote attackers to obtain sensitive information via a man-in-the-middle-attack.

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2017-14084

A potential Man-in-the-Middle (MitM) attack vulnerability in Trend Micro OfficeScan 11.0 and XG may allow attackers to execute arbitrary code on vulnerable installations.

CVSS: 8.1 CWE: N/A View on NVD
2017-10-05
Medium

CVE-2017-15042

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. T…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2017-09-30
Medium

CVE-2017-14582

The Zoho Site24x7 Mobile Network Poller application before 1.1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-09-29
Medium

CVE-2017-8444

The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper. If an attacker is able to man in the middle (MITM) the traffic between the clien…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Medium

CVE-2017-12228

A vulnerability in the Cisco Network Plug and Play application of Cisco IOS 12.4 through 15.6 and Cisco IOS XE 3.3 through 16.4 could allow an unauthenticated, remote attacker to gain unauthorized ac…

CVSS: 5.9 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2015-1027

The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2014-2029

The automatic version check functionality in the tools in Percona Toolkit 2.1 allows man-in-the-middle attackers to obtain sensitive information or execute arbitrary code by leveraging use of HTTP to…

CVSS: 8.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-09-26
Medium

CVE-2015-0874

Smartphone Passbook 1.0.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to obtain sensitive information from encrypted communications via a crafted cer…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-09-18
Medium

CVE-2016-10511

The Twitter iOS client versions 6.62 and 6.62.1 fail to validate Twitter's server certificates for the /1.1/help/settings.json configuration endpoint, permitting man-in-the-middle attackers the abili…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-09-13
Medium

CVE-2017-14420

The D-Link NPAPI extension, as used on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices, does not verify X.509 certificates f…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-09-06
Medium

CVE-2015-7225

Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password (aka OTP), which allows remote or physically pro…

CVSS: 5.3 CWE: CWE-254 View on NVD
2017-09-01
Medium

CVE-2017-3898

A man-in-the-middle attack vulnerability in the non-certificate-based authentication mechanism in McAfee LiveSafe (MLS) versions prior to 16.0.3 allows network attackers to modify the Windows registr…

CVSS: 5.9 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2017-12870

SimpleSAMLphp 1.14.12 and earlier make it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the aesEncrypt and aesDecrypt methods in the SimpleSAML/Utils/Cry…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-08-31
High

CVE-2017-0902

RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacke…

CVSS: 8.1 CWE: CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical Action View on NVD
Medium

CVE-2016-0713

Gorouter in Cloud Foundry cf-release v141 through v228 allows man-in-the-middle attackers to conduct cross-site scripting (XSS) attacks via vectors related to modified requests.

CVSS: 4.7 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2017-08-30
High

CVE-2017-12735

A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). An attacker who performs a Man-in-the-Middle attack between the LOGO! BM and other devices could poten…

CVSS: 7.4 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
2017-08-29
High

CVE-2015-7255

ZTE OX-330P, ZXHN H108N, W300V1.0.0S_ZRD_TR1_D68, HG110, GAN9.8T101A-B, MF28G, ZXHN H108N use non-unique X.509 certificates and SSH host keys, which might allow remote attackers to obtain credentials…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-08-28
Medium

CVE-2015-0210

wpa_supplicant 2.0-16 does not properly check certificate subject name, which allows remote attackers to cause a man-in-the-middle attack.

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-08-25
High

CVE-2015-3206

The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other u…

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD
2017-08-14
Medium

CVE-2016-6029

IBM Emptoris Strategic Supply Management Platform 10.0 and 10.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security.…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-08-09
Medium

CVE-2015-2674

Restkit allows man-in-the-middle attackers to spoof TLS servers by leveraging use of the ssl.wrap_socket function in Python with the default CERT_NONE value for the cert_reqs argument.

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2015-5619

Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS certificates from the Logstash server, which might allow attackers to obt…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2017-11506

When linking a Nessus scanner or agent to Tenable.io or other manager, Nessus 6.x before 6.11 does not verify the manager's TLS certificate when making the initial outgoing connection. This could all…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-08-08
High

CVE-2017-9941

A vulnerability was discovered in Siemens SiPass integrated (All versions before V2.70) that could allow an attacker in a Man-in-the-Middle position between the SiPass integrated server and SiPass in…

CVSS: 7.4 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
High

CVE-2017-6873

A vulnerability was discovered in Siemens OZW672 (all versions) and OZW772 (all versions) that could allow an attacker to read and manipulate data in TLS sessions while performing a man-in-the-middle…

CVSS: 7.4 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2017-6870

A vulnerability was discovered in Siemens SIMATIC WinCC Sm@rtClient for Android (All versions before V1.0.2.2). The existing TLS protocol implementation could allow an attacker to read and modify dat…

CVSS: 7.4 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
2017-08-05
Critical

CVE-2017-9861

An issue was discovered in SMA Solar Technology products. The SIP implementation does not properly use authentication with encryption: it is vulnerable to replay attacks, packet injection attacks, an…

CVSS: 9.8 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
High

CVE-2017-9857

An issue was discovered in SMA Solar Technology products. The SMAdata2+ communication protocol does not properly use authentication with encryption: it is vulnerable to man in the middle, packet inje…

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD
2017-08-03
Medium

CVE-2017-11320

Persistent XSS through the SSID of nearby Wi-Fi devices on Technicolor TC7337 routers 08.89.17.20.00 allows an attacker to cause DNS Poisoning and steal credentials from the router.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD