CVE Daily
← All tags

Tag: Mitm

All CVEs associated with "Mitm". Page 14/32 • 3811 CVEs.

Subscribe CVEs: RSS for “Mitm”  ·  RSS (High+Critical only)

About “Mitm”

A curated feed of “Mitm”-related CVEs appears below. We currently track 3811 CVEs for this tag (all time). In the last 365 days, 220 were published. Average CVSS is 6.1 (all time; 6.6 over 365d), and 25% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-295 - Improper Certificate Validation, CWE-319 - Cleartext Transmission of Sensitive Information, CWE-297 - Improper Validation of Certificate with Host Mismatch.

In our taxonomy this topic maps to a MODERATE impact class. Common exploitation patterns for this weakness can lead to moderate. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2017-04-04
High

CVE-2017-3204

The Go SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey…

CVSS: 8.1 CWE: CWE-310 View on NVD
2017-04-02
High

CVE-2016-8273

Huawei PC client software HiSuite 4.0.5.300_OVE uses insecure HTTP for upgrade software package download and does not check the integrity of the software package before installing; an attacker can la…

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2017-2448

An issue was discovered in certain Apple products. iOS before 10.3 is affected. macOS before 10.12.4 is affected. tvOS before 10.2 is affected. The issue involves the "Keychain" component. It allows…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2017-2412

An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "iTunes Store" component. It allows man-in-the-middle attackers to modify the client-server data…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Low

CVE-2017-2383

An issue was discovered in certain Apple products. iCloud before 6.2 on Windows is affected. iTunes before 12.6 on Windows is affected. The issue involves cleartext client-certificate transmission in…

CVSS: 3.1 CWE: N/A View on NVD
2017-03-30
High

CVE-2017-7323

The (1) update and (2) package-installation features in MODX Revolution 2.5.4-pl and earlier use http://rest.modx.com by default, which allows man-in-the-middle attackers to spoof servers and trigger…

CVSS: 8.1 CWE: N/A View on NVD
High

CVE-2017-7322

The (1) update and (2) package-installation features in MODX Revolution 2.5.4-pl and earlier do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof serve…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-03-27
Medium

CVE-2017-1143

IBM Kenexa LCMS Premier on Cloud 9.x and 10.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2017-5239

Due to a lack of standard encryption when transmitting sensitive information over the internet to a centralized monitoring service, the Eview EV-07S GPS Tracker discloses personally identifying infor…

CVSS: 7.5 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
High

CVE-2015-0864

Samsung Account (AKA com.osp.app.signin) before 1.6.0069 and 2.x before 2.1.0069 allows man-in-the-middle attackers to obtain sensitive information and execute arbitrary code.

CVSS: 8.0 CWE: CWE-264 View on NVD
High

CVE-2015-0863

GALAXY Apps (aka Samsung Apps, Samsung Updates, or com.sec.android.app.samsungapps) before 14120405.03.012 allows man-in-the-middle attackers to obtain sensitive information and execute arbitrary cod…

CVSS: 8.0 CWE: CWE-264 View on NVD
2017-03-24
Medium

CVE-2016-10130

The http_connect function in transports/http.c in libgit2 before 0.24.6 and 0.25.x before 0.25.1 might allow man-in-the-middle attackers to spoof servers by leveraging clobbering of the error variabl…

CVSS: 5.9 CWE: CWE-284 - Improper Access Control View on NVD
2017-03-23
Low

CVE-2015-4078

Cloudera Navigator 2.2.x before 2.2.4 and 2.3.x before 2.3.3 include support for SSLv3 when configured to use SSL/TLS, which makes it easier for man-in-the-middle attackers to obtain cleartext data v…

CVSS: 3.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-03-21
High

CVE-2016-6650

EMC RecoverPoint versions prior to 5.0 and EMC RecoverPoint for Virtual Machines versions prior to 5.0 have an SSL Stripping Vulnerability that may potentially be exploited by malicious users to comp…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-03-20
High

CVE-2016-4927

Insufficient validation of SSH keys in Junos Space before 15.2R2 allows man-in-the-middle (MITM) type of attacks while a Space device is communicating with managed devices.

CVSS: 8.1 CWE: CWE-20 - Improper Input Validation View on NVD
2017-03-15
High

CVE-2017-3854

A vulnerability in the mesh code of Cisco Wireless LAN Controller (WLC) software could allow an unauthenticated, remote attacker to impersonate a WLC in a meshed topology. The vulnerability is due to…

CVSS: 8.8 CWE: CWE-287 - Improper Authentication View on NVD
2017-03-14
Medium

CVE-2015-8987

Man-in-the-middle (MitM) attack vulnerability in non-Mac OS agents in McAfee (now Intel Security) Agent (MA) 4.8.0 patch 2 and earlier allows attackers to make a McAfee Agent talk with another, possi…

CVSS: 5.3 CWE: CWE-284 - Improper Access Control View on NVD
2017-03-11
High

CVE-2017-6466

F-Secure Software Updater 2.20, as distributed in several F-Secure products, downloads installation packages over plain http and does not perform file integrity validation after download. Man-in-the-…

CVSS: 8.1 CWE: CWE-20 - Improper Input Validation View on NVD
2017-03-09
High

CVE-2017-6432

An issue was discovered on Dahua DHI-HCVR7216A-S3 3.210.0001.10 build 2016-06-06 devices. The Dahua DVR Protocol, which operates on TCP Port 37777, is an unencrypted, binary protocol. Performing a Ma…

CVSS: 8.1 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2017-03-05
High

CVE-2017-6445

The auto-update feature of Open Embedded Linux Entertainment Center (OpenELEC) 6.0.3, 7.0.1, and 8.0.4 uses neither encrypted connections nor signed updates. A man-in-the-middle attacker could manipu…

CVSS: 8.1 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2017-03-02
Medium

CVE-2016-9892

The esets_daemon service in ESET Endpoint Antivirus for macOS before 6.4.168.0 and Endpoint Security for macOS before 6.4.168.0 does not properly verify X.509 certificates from the edf.eset.com SSL s…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-03-01
High

CVE-2017-2685

Siemens SINUMERIK Integrate Operate Clients between 2.0.3.00.016 (including) and 2.0.6 (excluding) and between 3.0.4.00.032 (including) and 3.0.6 (excluding) contain a vulnerability that could allow…

CVSS: 7.4 CWE: CWE-693 - Protection Mechanism Failure View on NVD
2017-02-27
Medium

CVE-2017-6297

The L2TP Client in MikroTik RouterOS versions 6.83.3 and 6.37.4 does not enable IPsec encryption after a reboot, which allows man-in-the-middle attackers to view transmitted data unencrypted and gain…

CVSS: 5.9 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2017-02-22
Medium

CVE-2016-3052

Under non-standard configurations, IBM WebSphere MQ might send password data in clear text over the network. This data could be intercepted using man in the middle techniques.

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-02-20
Medium

CVE-2016-7636

An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Security" component, which…

CVSS: 5.9 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2016-7579

An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. tvOS before 10.0.1 is affected. The issue involves the "CFNetwork Proxies" component,…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2016-4721

An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. The issue involves the "IDS - Connectivity" component, which allows man-in-the-middle…

CVSS: 5.9 CWE: CWE-254 View on NVD
2017-02-13
High

CVE-2017-5149

An issue was discovered in St. Jude Medical Merlin@home, versions prior to Version 8.2.2 (RF models: EX1150; Inductive models: EX1100; and Inductive models: EX1100 with MerlinOnDemand capability). Th…

CVSS: 8.9 CWE: CWE-476 - NULL Pointer Dereference View on NVD
High

CVE-2016-8358

An issue was discovered in Smiths-Medical CADD-Solis Medication Safety Software, Version 1.0; 2.0; 3.0; and 3.1. The affected software does not verify the identities at communication endpoints, which…

CVSS: 8.5 CWE: CWE-346 - Origin Validation Error View on NVD
High

CVE-2016-8495

An improper certificate validation vulnerability in Fortinet FortiManager 5.0.6 through 5.2.7 and 5.4.0 through 5.4.1 allows remote attacker to spoof a trusted entity by using a man-in-the-middle (MI…

CVSS: 7.4 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-02-08
Medium

CVE-2016-5900

IBM Tealeaf Customer Experience on Cloud Network Capture Add-On could allow a remote attacker to obtain sensitive information, caused by the failure to properly validate the TLS certificate. An attac…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-02-07
Critical

CVE-2016-5711

NetApp Virtual Storage Console for VMware vSphere before 6.2.1 uses a non-unique certificate, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

CVSS: 9.8 CWE: N/A View on NVD
High

CVE-2016-3180

Tor Browser Launcher (aka torbrowser-launcher) before 0.2.4, during the initial run, allows man-in-the-middle attackers to bypass the PGP signature verification and execute arbitrary code via a Troja…

CVSS: 8.1 CWE: CWE-254 View on NVD
2017-02-02
Medium

CVE-2016-6116

IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2016-5935

IBM Jazz for Service Management could allow a remote attacker to obtain sensitive information, caused by the failure to properly validate the SSL certificate. An attacker could exploit this vulnerabi…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-02-01
Medium

CVE-2016-8966

IBM BigFix Inventory v9 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerab…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2016-5966

IBM Security Privileged Identity Manager Virtual Appliance could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An a…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2016-3043

IBM Security Access Manager for Web could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit t…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Low

CVE-2016-0297

IBM Tivoli Endpoint Manager - Mobile Device Management (MDM) could allow a remote attacker to obtain sensitive information due to a missing HTTP Strict-Transport-Security Header through man in the mi…

CVSS: 3.7 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-01-31
Medium

CVE-2016-5117

OpenNTPD before 6.0p1 does not validate the CN for HTTPS constraint requests, which allows remote attackers to bypass the man-in-the-middle mitigations via a crafted timestamp constraint with a valid…

CVSS: 5.9 CWE: CWE-254 View on NVD
2017-01-30
Medium

CVE-2016-2402

OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2015-7973

NTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network.

CVSS: 6.5 CWE: CWE-254 View on NVD
2017-01-27
Medium

CVE-2016-1920

Samsung KNOX 1.0.0 uses the shared certificate on Android, which allows local users to conduct man-in-the-middle attacks as demonstrated by installing a certificate and running a VPN service.

CVSS: 5.5 CWE: CWE-284 - Improper Access Control View on NVD
2017-01-23
High

CVE-2016-5119

The automatic update feature in KeePass 2.33 and earlier allows man-in-the-middle attackers to execute arbitrary code by spoofing the version check response and supplying a crafted update.

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2017-01-20
Medium

CVE-2014-9754

The hardware VPN client in Viprinet MultichannelVPN Router 300 version 2013070830/2013080900 does not validate the remote VPN endpoint identity (through the checking of the endpoint's SSL key) before…

CVSS: 5.9 CWE: CWE-20 - Improper Input Validation View on NVD
2017-01-18
High

CVE-2016-6271

The Bzrtp library (aka libbzrtp) 1.0.x before 1.0.4 allows man-in-the-middle attackers to conduct spoofing attacks by leveraging a missing HVI check on DHPart2 packet reception.

CVSS: 7.5 CWE: CWE-254 View on NVD
2017-01-13
High

CVE-2016-10138

An issue was discovered on BLU Advance 5.0 and BLU R1 HD devices with Shanghai Adups software. The com.adups.fota.sysoper app is installed as a system app and cannot be disabled by the user. In the c…

CVSS: 7.8 CWE: CWE-310 View on NVD
2017-01-12
Medium

CVE-2016-10027

Race condition in the XMPP library in Smack before 4.1.9, when the SecurityMode.required TLS setting has been set, allows man-in-the-middle attackers to bypass TLS protections and trigger use of clea…

CVSS: 5.9 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2017-01-11
Low

CVE-2016-9015

Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vulnerability that can cause them, in certain configurations, to not correctly validate TLS certificates. This places users of the l…

CVSS: 3.7 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-01-09
High

CVE-2016-10125

D-Link DGS-1100 devices with Rev.B firmware 1.01.018 have a hardcoded SSL private key, which allows man-in-the-middle attackers to spoof devices by hijacking an HTTPS session.

CVSS: 8.1 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
2017-01-06
Medium

CVE-2016-2372

An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious user, server,…

CVSS: 5.9 CWE: CWE-125 - Out-of-bounds Read View on NVD
Medium

CVE-2016-2370

A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an out-of-bounds read. A maliciou…

CVSS: 5.9 CWE: CWE-125 - Out-of-bounds Read View on NVD
Medium

CVE-2016-2367

An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious user, server,…

CVSS: 5.9 CWE: CWE-125 - Out-of-bounds Read View on NVD
2016-12-06
Medium

CVE-2016-5341

The GPS component in Android before 2016-12-05 allows man-in-the-middle attackers to cause a denial of service (GPS signal-acquisition delay) via an incorrect xtra.bin or xtra2.bin file on a spoofed…

CVSS: 5.9 CWE: CWE-284 - Improper Access Control View on NVD
2016-11-25
Medium

CVE-2016-6709

An information disclosure vulnerability in Conscrypt and BoringSSL in Android 6.x before 2016-11-01 and 7.0 before 2016-11-01 could enable a man-in-the-middle attacker to gain access to sensitive inf…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-11-03
High

CVE-2015-8968

git-fastclone before 1.0.1 permits arbitrary shell command execution from .gitmodules. If an attacker can instruct a user to run a recursive clone from a repository they control, they can get a clien…

CVSS: 8.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2016-10-25
Low

CVE-2016-1000033

Shotwell version 0.22.0 (and possibly other versions) is vulnerable to a TLS/SSL certification validation flaw resulting in a potential for man in the middle attacks.

CVSS: 3.7 CWE: CWE-295 - Improper Certificate Validation View on NVD
2016-10-10
Medium

CVE-2016-7099

The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certifi…

CVSS: 5.9 CWE: CWE-19 View on NVD
Medium

CVE-2016-5348

The GPS component in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0 before 2016-10-01 allows man-in-the-middle attackers to cause a denial of service…

CVSS: 5.9 CWE: CWE-399 View on NVD
2016-10-06
Medium

CVE-2016-6026

The Configuration Manager in IBM Sterling Secure Proxy (SSP) 3.4.2 before 3.4.2.0 iFix 8 and 3.4.3 before 3.4.3.0 iFix 1 allows man-in-the-middle attackers to obtain sensitive information via an HTTP…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-10-05
Medium

CVE-2016-6550

The U by BB&T app 1.5.4 and earlier for iOS does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information vi…

CVSS: 5.4 CWE: CWE-310 View on NVD
2016-09-26
Low

CVE-2016-0248

IBM Security Guardium 9.0 before p700 and 10.0 before p100 allows man-in-the-middle attackers to obtain sensitive query-string information from SSL sessions via unspecified vectors.

CVSS: 3.7 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-09-25
Medium

CVE-2016-4763

WKWebView in WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 does not properly verify X.509 certificates from HTTPS servers, which allows man-in-the-middle attack…

CVSS: 6.8 CWE: CWE-310 View on NVD
Medium

CVE-2016-4722

The IDS - Connectivity component in Apple iOS before 10 and OS X before 10.12 allows man-in-the-middle attackers to conduct Call Relay spoofing attacks and cause a denial of service via unspecified v…

CVSS: 5.9 CWE: CWE-20 - Improper Input Validation View on NVD
2016-09-24
Medium

CVE-2016-6412

The Cisco Application-hosting Framework (CAF) component in Cisco IOS 15.6(1)T1 and IOS XE, when the IOx feature set is enabled, allows man-in-the-middle attackers to trigger arbitrary downloads via c…

CVSS: 6.5 CWE: CWE-20 - Improper Input Validation View on NVD
2016-09-22
High

CVE-2016-5284

Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 rely on unintended expiration dates for Preloaded Public Key Pinning, which allows man-in-the-middle attackers to spo…

CVSS: 7.4 CWE: CWE-20 - Improper Input Validation View on NVD
2016-09-21
High

CVE-2015-8960

The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh values for ClientCertificateType but does not directly document the ability to compute t…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2016-09-18
Low

CVE-2016-4747

Mail in Apple iOS before 10 mishandles certificates, which makes it easier for man-in-the-middle attackers to discover mail credentials via unspecified vectors.

CVSS: 3.7 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2016-4741

The Assets component in Apple iOS before 10 allows man-in-the-middle attackers to block software updates via vectors related to lack of an HTTPS session for retrieving updates.

CVSS: 5.9 CWE: CWE-254 View on NVD
2016-09-02
Medium

CVE-2016-0772

The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypa…

CVSS: 6.5 CWE: CWE-693 - Protection Mechanism Failure View on NVD
2016-08-25
Medium

CVE-2016-6231

Kaspersky Safe Browser iOS before 1.7.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to obtain sensitive information via a crafted certificate.

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-08-09
High

CVE-2016-3237

Kerberos in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows ma…

CVSS: 7.5 CWE: CWE-264 View on NVD
2016-08-08
Low

CVE-2016-0266

IBM AIX 5.3, 6.1, 7.1, and 7.2 and VIOS 2.2.x do not default to the latest TLS version, which makes it easier for man-in-the-middle attackers to obtain sensitive information via unspecified vectors.

CVSS: 3.7 CWE: CWE-254 View on NVD
2016-08-03
Critical

CVE-2016-5669

Crestron Electronics DM-TXRX-100-STR devices with firmware before 1.3039.00040 use a hardcoded 0xb9eed4d955a59eb3 X.509 certificate from an OpenSSL Test Certification Authority, which makes it easier…

CVSS: 9.8 CWE: N/A View on NVD
2016-08-01
High

CVE-2016-5672

Intel Crosswalk before 19.49.514.5, 20.x before 20.50.533.11, 21.x before 21.51.546.0, and 22.x before 22.51.549.0 interprets a user's acceptance of one invalid X.509 certificate to mean that all inv…

CVSS: 8.1 CWE: CWE-20 - Improper Input Validation View on NVD
2016-07-23
Medium

CVE-2016-5133

Google Chrome before 52.0.2743.82 mishandles origin information during proxy authentication, which allows man-in-the-middle attackers to spoof a proxy-authentication login prompt or trigger incorrect…

CVSS: 5.3 CWE: CWE-287 - Improper Authentication View on NVD
2016-07-22
Medium

CVE-2016-4635

FaceTime in Apple iOS before 9.3.3 and OS X before 10.11.6 allows man-in-the-middle attackers to spoof relayed-call termination, and obtain sensitive audio information in opportunistic circumstances,…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-07-19
Medium

CVE-2016-5655

Misys FusionCapital Opics Plus does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to obtain sensitive information via a crafted certificate.

CVSS: 5.9 CWE: N/A View on NVD
High

CVE-2016-5654

Misys FusionCapital Opics Plus allows remote authenticated users to gain privileges via a man-in-the-middle attack that modifies the xmlMessageOut parameter.

CVSS: 7.5 CWE: CWE-264 View on NVD
2016-07-13
High

CVE-2016-3238

The Print Spooler service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511…

CVSS: 8.1 CWE: CWE-254 View on NVD
2016-07-07
High

CVE-2016-2119

libcli/smb/smbXcli_base.c in Samba 4.x before 4.2.14, 4.3.x before 4.3.11, and 4.4.x before 4.4.5 allows man-in-the-middle attackers to bypass a client-signing protection mechanism, and consequently…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2016-06-19
Medium

CVE-2016-4811

The NTT Broadband Platform Japan Connected-free Wi-Fi application 1.15.1 and earlier for Android and 1.13.0 and earlier for iOS allows man-in-the-middle attackers to obtain API access via unspecified…

CVSS: 5.6 CWE: CWE-284 - Improper Access Control View on NVD
2016-06-16
High

CVE-2016-3223

Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mishandle LDAP authenticatio…

CVSS: 8.1 CWE: CWE-264 View on NVD
2016-06-13
High

CVE-2016-3698

libndp before 1.6, as used in NetworkManager, does not properly validate the origin of Neighbor Discovery Protocol (NDP) messages, which allows remote attackers to conduct man-in-the-middle attacks o…

CVSS: 8.1 CWE: CWE-284 - Improper Access Control View on NVD
2016-06-07
Medium

CVE-2013-7440

The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof serve…

CVSS: 5.9 CWE: CWE-19 View on NVD
2016-06-05
Medium

CVE-2016-1693

browser/safe_browsing/srt_field_trial_win.cc in Google Chrome before 51.0.2704.63 does not use the HTTPS service on dl.google.com to obtain the Software Removal Tool, which allows remote attackers to…

CVSS: 5.3 CWE: CWE-284 - Improper Access Control View on NVD
2016-06-03
High

CVE-2016-3944

UpdateAgent in Lenovo Accelerator Application allows man-in-the-middle attackers to execute arbitrary code by spoofing an update response from susapi.lenovomm.com.

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2016-05-30
Medium

CVE-2016-0907

EMC Isilon OneFS 7.1.x and 7.2.x before 7.2.1.3 and 8.0.x before 8.0.0.1, and IsilonSD Edge OneFS 8.0.x before 8.0.0.1, does not require SMB signing within a DCERPC session over ncacn_np, which allow…

CVSS: 5.9 CWE: CWE-254 View on NVD
2016-05-23
High

CVE-2016-3664

Trend Micro Mobile Security for iOS before 3.2.1188 does not verify the X.509 certificate of the mobile application login server, which allows man-in-the-middle attackers to spoof this server and obt…

CVSS: 7.4 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-05-17
Medium

CVE-2016-3725

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined wit…

CVSS: 4.3 CWE: CWE-264 View on NVD
Medium

CVE-2016-0306

IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.41, 8.0 before 8.0.0.13, and 8.5 before 8.5.5.10, when FIPS 140-2 is enabled, misconfigures TLS, which allows man-in-the-middle attackers to ob…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-05-16
Medium

CVE-2015-8838

ext/mysqlnd/mysqlnd.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 uses a client SSL option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof serve…

CVSS: 5.9 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2015-3152

Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle atta…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2016-05-11
Medium

CVE-2016-1115

Adobe ColdFusion 10 before Update 19, 11 before Update 8, and 2016 before Update 1 mishandles wildcards in name fields of X.509 certificates, which might allow man-in-the-middle attackers to spoof se…

CVSS: 5.9 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2016-0149

Microsoft .NET Framework 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and 4.6.1 allows man-in-the-middle attackers to obtain sensitive cleartext information via vectors involving injection of cleartext…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-04-25
High

CVE-2016-2346

Allround Automations PL/SQL Developer 11 before 11.0.6 relies on unverified HTTP data for updates, which allows man-in-the-middle attackers to execute arbitrary code by modifying fields in the client…

CVSS: 8.1 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
Medium

CVE-2016-2115

Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not require SMB signing within a DCERPC session over ncacn_np, which allows man-in-the-middle attackers to spoof SMB c…

CVSS: 5.9 CWE: CWE-254 View on NVD
Medium

CVE-2016-2114

The SMB1 protocol implementation in Samba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not recognize the "server signing = mandatory" setting, which allows man-in-the-middle att…

CVSS: 5.9 CWE: CWE-254 View on NVD
High

CVE-2016-2113

Samba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof LDAPS and HTTPS servers and…

CVSS: 7.4 CWE: CWE-310 View on NVD
Medium

CVE-2016-2112

The bundled LDAP client library in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not recognize the "client ldap sasl wrapping" setting, which allows man-in-the-midd…

CVSS: 5.9 CWE: CWE-254 View on NVD
Medium

CVE-2016-2110

The NTLMSSP authentication implementation in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 allows man-in-the-middle attackers to perform protocol-downgrade attacks by mo…

CVSS: 5.9 CWE: CWE-254 View on NVD
2016-04-21
Medium

CVE-2013-7449

The ssl_do_connect function in common/server.c in HexChat before 2.10.2, XChat, and XChat-GNOME does not verify that the server hostname matches a domain name in the X.509 certificate, which allows m…

CVSS: 6.5 CWE: CWE-310 View on NVD
2016-04-13
Medium

CVE-2016-0787

The diffie_hellman_sha256 function in kex.c in libssh2 before 1.7.0 improperly truncates secrets to 128 or 256 bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2016-0739

libssh before 0.7.3 improperly truncates ephemeral secrets generated for the (1) diffie-hellman-group1 and (2) diffie-hellman-group14 key exchange methods to 128 bits, which makes it easier for man-i…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-04-12
High

CVE-2016-2118

The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 mishandle DCERPC connections, which allows man-in-the-middle attackers…

CVSS: 7.5 CWE: CWE-254 View on NVD
Medium

CVE-2016-0128

The SAM and LSAD protocol implementations in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows…

CVSS: 6.8 CWE: CWE-254 View on NVD
Medium

CVE-2016-2166

The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amq…

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2016-1866

Salt 2015.8.x before 2015.8.4 does not properly handle clear messages on the minion, which allows man-in-the-middle attackers to execute arbitrary code by inserting packets into the minion-master dat…

CVSS: 8.1 CWE: CWE-284 - Improper Access Control View on NVD
2016-04-11
Medium

CVE-2016-3676

Huawei E3276s USB modems with software before E3276s-150TCPU-V200R002B436D09SP00C00 allow man-in-the-middle attackers to intercept, spoof, or modify network traffic via unspecified vectors related to…

CVSS: 6.4 CWE: CWE-254 View on NVD
2016-04-07
Medium

CVE-2015-2774

Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2016-1563

NetApp Clustered Data ONTAP 8.3.1 does not properly verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafte…

CVSS: 6.8 CWE: CWE-20 - Improper Input Validation View on NVD
2016-03-14
Medium

CVE-2016-1731

Apple Software Update before 2.2 on Windows does not use HTTPS, which makes it easier for man-in-the-middle attackers to spoof updates by modifying the client-server data stream.

CVSS: 5.9 CWE: CWE-310 View on NVD
2016-03-12
Medium

CVE-2016-0818

The caching functionality in the TrustManagerImpl class in TrustManagerImpl.java in Conscrypt in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H, and 6.x before 2016-03-01 mishandles the distinctio…

CVSS: 5.9 CWE: CWE-254 View on NVD
2016-03-02
Medium

CVE-2016-0703

The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTE…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-03-01
Medium

CVE-2016-2562

The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x before 4.5.5.1 does not verify X.509 certificates from api.github.com SSL servers, which allows man-in-the-middle attackers to…

CVSS: 6.8 CWE: CWE-20 - Improper Input Validation View on NVD
2016-02-15
Medium

CVE-2015-3197

ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-02-08
Medium

CVE-2016-2268

Dell SecureWorks app before 2.1 for iOS does not validate SSL certificates, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVSS: 6.8 CWE: CWE-310 View on NVD
2016-02-03
High

CVE-2015-7539

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to…

CVSS: 7.5 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2016-01-31
Medium

CVE-2016-1948

Mozilla Firefox before 44.0 on Android does not ensure that HTTPS is used for a lightweight-theme installation, which allows man-in-the-middle attackers to replace a theme's images and colors by modi…

CVSS: 5.3 CWE: CWE-310 View on NVD
2016-01-30
Critical

CVE-2015-7923

Westermo WeOS before 4.19.0 uses the same SSL private key across different customers' installations, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanism…

CVSS: 9.0 CWE: CWE-310 View on NVD