CVE Daily
← All tags

Tag: Mitm

All CVEs associated with "Mitm". Page 15/32 • 3811 CVEs.

Subscribe CVEs: RSS for “Mitm”  ·  RSS (High+Critical only)

About “Mitm”

A curated feed of “Mitm”-related CVEs appears below. We currently track 3811 CVEs for this tag (all time). In the last 365 days, 220 were published. Average CVSS is 6.1 (all time; 6.6 over 365d), and 25% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-295 - Improper Certificate Validation, CWE-319 - Cleartext Transmission of Sensitive Information, CWE-297 - Improper Validation of Certificate with Host Mismatch.

In our taxonomy this topic maps to a MODERATE impact class. Common exploitation patterns for this weakness can lead to moderate. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2016-01-29
High

CVE-2016-1493

Intel Driver Update Utility before 2.4 retrieves driver updates in cleartext, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted file.

CVSS: 7.5 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2016-01-27
Medium

CVE-2016-2047

The ssl_verify_server_cert function in sql-common/client.c in MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10; Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11…

CVSS: 5.9 CWE: CWE-254 View on NVD
2016-01-26
High

CVE-2016-1489

Lenovo SHAREit before 3.2.0 for Windows and SHAREit before 3.5.48_ww for Android transfer files in cleartext, which allows remote attackers to (1) obtain sensitive information by sniffing the network…

CVSS: 8.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-01-17
High

CVE-2015-7470

Report Builder in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2-Rational-CLM-ifix011 and 6.0 before 6.0.0-Rational-CLM-ifix005 allows man-in-the-middle attackers to obtain sensitive information v…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-01-09
Medium

CVE-2015-7575

Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in T…

CVSS: 5.9 CWE: CWE-19 View on NVD
2016-01-01
High

CVE-2015-7410

The Health Check tool in IBM Sterling B2B Integrator 5.2 does not properly use cookies in conjunction with HTTPS sessions, which allows man-in-the-middle attackers to obtain sensitive information or…

CVSS: 7.4 CWE: CWE-17 View on NVD
2015-12-29
Medium

CVE-2015-5296

Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3 supports connections that are encrypted but unsigned, which allows man-in-the-middle attackers to conduct encrypted-to-unen…

CVSS: 5.4 CWE: CWE-20 - Improper Input Validation View on NVD
2015-12-27
Medium

CVE-2015-8254

The Frontel protocol before 3 on RSI Video Technologies Videofied devices does not use integrity protection, which makes it easier for man-in-the-middle attackers to (1) initiate a false alarm or (2)…

CVSS: 5.9 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2015-12-26
Medium

CVE-2015-6409

Cisco Jabber 10.6.x, 11.0.x, and 11.1.x on Windows allows man-in-the-middle attackers to conduct STARTTLS downgrade attacks and trigger cleartext XMPP sessions via unspecified vectors, aka Bug ID CSC…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2015-12-24
High

CVE-2015-7931

The Java client in Adcon Telemetry A840 Telemetry Gateway Base Station does not authenticate the station device, which allows man-in-the-middle attackers to spoof devices and obtain sensitive informa…

CVSS: 8.7 CWE: CWE-20 - Improper Input Validation View on NVD
2015-12-11
Low

CVE-2015-7094

CFNetwork HTTPProtocol in Apple iOS before 9.2 and OS X before 10.11.2 allows man-in-the-middle attackers to bypass the HSTS protection mechanism via a crafted URL.

CVSS: 2.6 CWE: CWE-20 - Improper Input Validation View on NVD
2015-11-25
Medium

CVE-2015-7285

CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 do not require authentication from Alarm Receiving Center (ARC) servers, which allows man-in-the-middle attackers to bypass intended…

CVSS: 5.8 CWE: CWE-287 - Improper Authentication View on NVD
2015-11-18
Medium

CVE-2015-6357

The rule-update feature in Cisco FireSIGHT Management Center (MC) 5.2 through 5.4.0.1 does not verify the X.509 certificate of the support.sourcefire.com SSL server, which allows man-in-the-middle at…

CVSS: 6.8 CWE: CWE-20 - Improper Input Validation View on NVD
2015-11-11
Medium

CVE-2015-6112

SChannel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 lacks the required ext…

CVSS: 5.8 CWE: CWE-20 - Improper Input Validation View on NVD
2015-11-10
Medium

CVE-2015-5655

The Adways Party Track SDK before 1.6.6 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a c…

CVSS: 5.8 CWE: CWE-310 View on NVD
2015-11-04
Medium

CVE-2015-2902

HP ArcSight SmartConnectors before 7.1.6 do not verify X.509 certificates from Logger devices, which allows man-in-the-middle attackers to spoof devices and obtain sensitive information via a crafted…

CVSS: 6.8 CWE: CWE-310 View on NVD
2015-10-31
Critical

CVE-2015-6033

Qolsys IQ Panel (aka QOL) before 1.5.1 does not verify the digital signatures of software updates, which allows man-in-the-middle attackers to bypass intended access restrictions via a modified updat…

CVSS: 9.3 CWE: CWE-310 View on NVD
2015-10-27
Medium

CVE-2015-3996

The default AFSecurityPolicy.validatesDomainName configuration for AFSSLPinningModeNone in the AFNetworking framework before 2.5.3, as used in the ownCloud iOS Library, disables verification of a ser…

CVSS: 4.3 CWE: CWE-254 View on NVD
2015-10-26
Medium

CVE-2015-7298

ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote…

CVSS: 5.1 CWE: N/A View on NVD
Low

CVE-2015-4456

ownCloud Desktop Client before 1.8.2 does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which allows man-in-the-middle attackers to bypass the user's certificate dist…

CVSS: 2.6 CWE: N/A View on NVD
Critical

CVE-2015-5014

IBM Cognos Disclosure Management (CDM) 10.1.x and 10.2.x before 10.2.4 IF10 allows man-in-the-middle attackers to obtain access by spoofing an executable file during a client upload operation.

CVSS: 9.3 CWE: CWE-20 - Improper Input Validation View on NVD
2015-10-23
Medium

CVE-2015-6997

The X.509 certificate-trust implementation in Apple iOS before 9.1 does not recognize that the kSecRevocationRequirePositiveResponse flag implies a revocation-checking requirement, which makes it eas…

CVSS: 4.3 CWE: CWE-254 View on NVD
2015-10-09
Medium

CVE-2015-5894

The X.509 certificate-trust implementation in Apple OS X before 10.11 does not recognize that the kSecRevocationRequirePositiveResponse flag implies a revocation-checking requirement, which makes it…

CVSS: 4.3 CWE: CWE-17 View on NVD
Low

CVE-2015-5853

AirScan in Apple OS X before 10.11 allows man-in-the-middle attackers to obtain eSCL packet payload data via unspecified vectors.

CVSS: 3.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2015-09-24
Medium

CVE-2015-6303

The Cisco Spark application 2015-07-04 for mobile operating systems does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2015-09-18
Medium

CVE-2015-6932

VMware vCenter Server 5.5 before u3 and 6.0 before u1 does not verify X.509 certificates from TLS LDAP servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive informat…

CVSS: 5.8 CWE: CWE-310 View on NVD
Medium

CVE-2015-5921

WebKit in Apple iOS before 9 mishandles "Content-Disposition: attachment" HTTP headers, which might allow man-in-the-middle attackers to obtain sensitive information via unspecified vectors.

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2015-5920

The Software Update component in Apple iTunes before 12.3 does not properly handle redirection, which allows man-in-the-middle attackers to discover encrypted SMB credentials via unspecified vectors.

CVSS: 4.3 CWE: N/A View on NVD
Low

CVE-2015-5907

WebKit in Apple iOS before 9 allows man-in-the-middle attackers to conduct redirection attacks by leveraging the mishandling of the resource cache of an SSL web site with an invalid X.509 certificate.

CVSS: 2.6 CWE: CWE-310 View on NVD
Medium

CVE-2015-5824

The NSURL implementation in the CFNetwork SSL component in Apple iOS before 9 does not properly verify X.509 certificates from SSL servers after a certificate change, which allows man-in-the-middle a…

CVSS: 4.3 CWE: CWE-310 View on NVD
Medium

CVE-2015-5815

WebKit, as used in Apple iTunes before 12.3, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to…

CVSS: 6.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
Medium

CVE-2015-5808

WebKit, as used in Apple iTunes before 12.3, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to…

CVSS: 6.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
Medium

CVE-2015-5798

WebKit, as used in Apple iTunes before 12.3, allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to…

CVSS: 6.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2015-09-16
Medium

CVE-2015-6828

The tweet_info function in class/__functions.php in the SecureMoz Security Audit plugin 1.0.5 and earlier for WordPress does not use an HTTPS session for downloading serialized data, which allows man…

CVSS: 6.8 CWE: CWE-20 - Improper Input Validation View on NVD
2015-08-31
Medium

CVE-2015-0943

Basware Banking (Maksuliikenne) before 9.10.0.0 does not encrypt communication between the client and the backend server, which allows man-in-the-middle attackers to obtain encryption keys, user cred…

CVSS: 5.8 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2015-5717

The Siemens COMPAS Mobile application before 1.6 for Android does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensiti…

CVSS: 5.8 CWE: CWE-310 View on NVD
2015-08-25
Medium

CVE-2015-4020

RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests t…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
2015-08-18
Medium

CVE-2015-5505

The HTTP Strict Transport Security (HSTS) module 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.2 for Drupal does not properly implement the "include subdomains" directive, which causes the HSTS pol…

CVSS: 6.8 CWE: CWE-17 View on NVD
2015-08-16
Medium

CVE-2015-3774

The Dictionary app in Apple OS X before 10.10.5 does not use HTTPS, which allows man-in-the-middle attackers to obtain sensitive information by sniffing the network or spoof word definitions by modif…

CVSS: 4.8 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2015-3750

WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not enforce the HTTP Strict Transport Security (HSTS) protection mech…

CVSS: 6.4 CWE: CWE-254 View on NVD
Medium

CVE-2015-4483

Mozilla Firefox before 40.0 allows man-in-the-middle attackers to bypass a mixed-content protection mechanism via a feed: URL in a POST request.

CVSS: 4.3 CWE: CWE-264 View on NVD
2015-08-15
Medium

CVE-2015-2472

Remote Desktop Session Host (RDSH) in Remote Desktop Protocol (RDP) through 8.1 in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Serv…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
2015-08-14
Medium

CVE-2015-1816

Forman before 1.7.4 does not verify SSL certificates for LDAP connections, which allows man-in-the-middle attackers to spoof LDAP servers via a crafted certificate.

CVSS: 5.0 CWE: CWE-310 View on NVD
Medium

CVE-2014-8155

GnuTLS before 2.9.10 does not verify the activation and expiration dates of CA certificates, which allows man-in-the-middle attackers to spoof servers via a certificate issued by a CA certificate tha…

CVSS: 4.3 CWE: CWE-17 View on NVD
2015-08-12
Medium

CVE-2015-3908

Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle…

CVSS: 4.3 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2015-08-11
Medium

CVE-2015-5369

Pulse Connect Secure (aka PCS and formerly Juniper PCS) PSC6000, PCS6500, and MAG PSC360 8.1 before 8.1r5, 8.0 before 8.0r13, 7.4 before 7.4r13.5, and 7.1 before 7.1r22.2 and PPS 5.1 before 5.1R5 and…

CVSS: 4.3 CWE: CWE-17 View on NVD
Medium

CVE-2015-2323

FortiOS 5.0.x before 5.0.12 and 5.2.x before 5.2.4 supports anonymous, export, RC4, and possibly other weak ciphers when using TLS to connect to FortiGuard servers, which allows man-in-the-middle att…

CVSS: 6.4 CWE: CWE-310 View on NVD
2015-08-08
Low

CVE-2015-5961

The COPPA error page in the Accounts setup dialog in Mozilla Firefox OS before 2.2 embeds content from an external web server URL into the System process, which allows man-in-the-middle attackers to…

CVSS: 3.3 CWE: CWE-264 View on NVD
2015-08-07
Critical

CVE-2015-4674

The autoupdate implementation in TimeDoctor Pro 1.4.72.3 on Windows relies on unsigned installer files that are retrieved without use of SSL, which makes it easier for man-in-the-middle attackers to…

CVSS: 9.3 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2015-08-03
Medium

CVE-2015-5537

The SSL layer of the HTTPS service in Siemens RuggedCom ROS before 4.2.0 and ROX II does not properly implement CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext…

CVSS: 4.3 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
2015-07-29
Medium

CVE-2015-4288

The LDAP implementation on the Cisco Web Security Appliance (WSA) 8.5.0-000, Email Security Appliance (ESA) 8.5.7-042, and Content Security Management Appliance (SMA) 8.3.6-048 does not verify X.509…

CVSS: 4.3 CWE: CWE-310 View on NVD
2015-07-23
Medium

CVE-2015-1288

The Spellcheck API implementation in Google Chrome before 44.0.2403.89 does not use an HTTPS session for downloading a Hunspell dictionary, which allows man-in-the-middle attackers to deliver incorre…

CVSS: 6.8 CWE: CWE-17 View on NVD
2015-07-18
Medium

CVE-2015-4458

The TLS implementation in the Cavium cryptographic-module firmware, as distributed with Cisco Adaptive Security Appliance (ASA) Software 9.1(5.21) and other products, does not verify the MAC field, w…

CVSS: 4.3 CWE: CWE-310 View on NVD
2015-07-10
Medium

CVE-2015-4259

The Integrated Management Controller on Cisco Unified Computing System (UCS) C servers with software 1.5(3) and 1.6(0.16) has a default SSL certificate, which makes it easier for man-in-the-middle at…

CVSS: 4.3 CWE: CWE-310 View on NVD
2015-07-06
Medium

CVE-2015-2741

Mozilla Firefox before 39.0, Firefox ESR 38.x before 38.1, and Thunderbird before 38.1 do not enforce key pinning upon encountering an X.509 certificate problem that generates a user dialog, which al…

CVSS: 4.3 CWE: CWE-310 View on NVD
Medium

CVE-2015-2721

Mozilla Network Security Services (NSS) before 3.19, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, Thunderbird before 38.1, and other products, does not p…

CVSS: 4.3 CWE: CWE-310 View on NVD
2015-07-05
Medium

CVE-2015-0543

EMC Secure Remote Services Virtual Edition (ESRS VE) 3.x before 3.06 does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain…

CVSS: 5.8 CWE: CWE-20 - Improper Input Validation View on NVD
2015-07-01
Medium

CVE-2015-1330

unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which all…

CVSS: 6.8 CWE: CWE-287 - Improper Authentication View on NVD
2015-06-24
Medium

CVE-2013-7398

main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-http-client) before 1.9.0 does not require a hostname match during verification of X.509 certificates,…

CVSS: 4.3 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
Medium

CVE-2013-7397

Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-th…

CVSS: 4.3 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
Medium

CVE-2015-3900

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests t…

CVSS: 5.0 CWE: CWE-254 View on NVD
2015-06-23
Medium

CVE-2015-2859

Intel McAfee ePolicy Orchestrator (ePO) 4.x through 4.6.9 and 5.x through 5.1.2 does not validate server names and Certification Authority names in X.509 certificates from SSL servers, which allows m…

CVSS: 5.8 CWE: CWE-310 View on NVD
2015-06-19
Low

CVE-2015-4640

The SwiftKey language-pack update implementation on Samsung Galaxy S4, S4 Mini, S5, and S6 devices relies on an HTTP connection to the skslm.swiftkey.net server, which allows man-in-the-middle attack…

CVSS: 2.9 CWE: CWE-254 View on NVD
2015-06-17
Medium

CVE-2015-4550

The Cavium cryptographic-module firmware on Cisco Adaptive Security Appliance (ASA) devices with software 9.3(3) and 9.4(1.1) does not verify the AES-GCM Integrity Check Value (ICV) octets, which mak…

CVSS: 4.3 CWE: CWE-310 View on NVD
Medium

CVE-2015-4190

Cisco Cloud Portal in Cisco Prime Service Catalog 9.4.1_vortex on Cloud Portal appliances allows man-in-the-middle attackers to modify data via unspecified vectors, aka Bug ID CSCuh19683.

CVSS: 4.3 CWE: N/A View on NVD
2015-06-02
Medium

CVE-2015-4094

The Thycotic Password Manager Secret Server application through 2.3 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain s…

CVSS: 5.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2015-05-26
Medium

CVE-2015-3903

libraries/Config.class.php in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 disables X.509 certificate verification for GitHub API calls ov…

CVSS: 4.3 CWE: CWE-310 View on NVD
2015-05-25
Medium

CVE-2015-0962

Barracuda Web Filter 7.x and 8.x before 8.1.0.005, when SSL Inspection is enabled, uses the same root Certification Authority certificate across different customers' installations, which makes it eas…

CVSS: 4.3 CWE: CWE-18 View on NVD
Medium

CVE-2015-0961

Barracuda Web Filter before 8.1.0.005, when SSL Inspection is enabled, does not verify X.509 certificates from upstream SSL servers, which allows man-in-the-middle attackers to spoof servers and obta…

CVSS: 4.3 CWE: N/A View on NVD
2015-05-21
Low

CVE-2015-4000

The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to c…

CVSS: 3.7 CWE: CWE-310 View on NVD
2015-05-20
Medium

CVE-2015-1263

The Spellcheck API implementation in Google Chrome before 43.0.2357.65 does not use an HTTPS session for downloading a Hunspell dictionary, which allows man-in-the-middle attackers to deliver incorre…

CVSS: 4.3 CWE: CWE-17 View on NVD
2015-05-18
Low

CVE-2015-3455

Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and 3.5.x before 3.5.4, when configured with client-first SSL-bump, do not properly validate the domain or hostname fields of X.50…

CVSS: 2.6 CWE: CWE-20 - Improper Input Validation View on NVD
2015-05-12
High

CVE-2015-2233

Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 does not properly validate CA chains during signature validation, which allows man-in-the-middle attackers to upload and ex…

CVSS: 8.3 CWE: CWE-310 View on NVD
Medium

CVE-2014-9326

The automatic signature update functionality in the (1) Phone Home feature in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, GTM, and Link Controller 11.5.0 through 11.6.0, ASM 10.0.0 through 11.6.0, and P…

CVSS: 4.3 CWE: N/A View on NVD
2015-05-07
Medium

CVE-2015-3610

The Siemens HomeControl for Room Automation application before 2.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obt…

CVSS: 5.4 CWE: CWE-310 View on NVD
2015-04-17
Medium

CVE-2015-1852

The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configurat…

CVSS: 4.3 CWE: CWE-17 View on NVD
2015-04-16
Medium

CVE-2015-3324

The ThinkServer System Manager (TSM) Baseboard Management Controller before firmware 1.27.73476 for ThinkServer RD350, RD450, RD550, RD650, and TD350 does not validate server certificates during an "…

CVSS: 4.3 CWE: CWE-310 View on NVD
2015-04-13
High

CVE-2015-0676

The DNS implementation in Cisco Adaptive Security Appliance (ASA) Software 7.2 before 7.2(5.16), 8.2 before 8.2(5.57), 8.3 before 8.3(2.44), 8.4 before 8.4(7.28), 8.5 before 8.5(1.24), 8.6 before 8.6…

CVSS: 7.1 CWE: CWE-20 - Improper Input Validation View on NVD
2015-04-10
Medium

CVE-2015-3008

Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x before 12.8.2, and 13.x before 13.3.2 and Certified Asterisk 1.8.28 before 1.8.28-cert5, 11.6 before 11.6-cert11, and 13.1 before 1…

CVSS: 4.3 CWE: CWE-310 View on NVD
High

CVE-2015-1102

The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 does not properly handle TCP headers, which allows man-in-the-middle attackers to cause a denial of service via…

CVSS: 7.1 CWE: CWE-20 - Improper Input Validation View on NVD
2015-04-08
Medium

CVE-2015-2822

Siemens SIMATIC HMI Comfort Panels before WinCC (TIA Portal) 13 SP1 Upd2 and SIMATIC WinCC Runtime Advanced before WinCC (TIA Portal) 13 SP1 Upd2 allow man-in-the-middle attackers to cause a denial o…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2015-1799

The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easie…

CVSS: 4.3 CWE: CWE-17 View on NVD
Low

CVE-2015-1798

The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-…

CVSS: 1.8 CWE: CWE-17 View on NVD
Medium

CVE-2015-0799

The HTTP Alternative Services feature in Mozilla Firefox before 37.0.1 allows man-in-the-middle attackers to bypass an intended X.509 certificate-verification step for an SSL server by specifying tha…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
2015-04-06
Medium

CVE-2015-1843

The Red Hat docker package before 1.5.0-28, when using the --add-registry option, falls back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to condu…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2015-1601

Siemens SIMATIC STEP 7 (TIA Portal) 12 and 13 before 13 SP1 Upd1 allows man-in-the-middle attackers to obtain sensitive information or modify transmitted data via unspecified vectors.

CVSS: 6.8 CWE: CWE-254 View on NVD
2015-04-01
Medium

CVE-2015-0812

Mozilla Firefox before 37.0 does not require an HTTPS session for lightweight theme add-on installations, which allows man-in-the-middle attackers to bypass an intended user-confirmation requirement…

CVSS: 4.3 CWE: CWE-17 View on NVD
2015-03-24
Medium

CVE-2015-0137

IBM PowerVC Standard 1.2.0.x before 1.2.0.4 and 1.2.1.x before 1.2.2 validates Hardware Management Console (HMC) certificates only during the pre-login stage, which allows man-in-the-middle attackers…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
2015-03-22
Medium

CVE-2015-0941

The Inetc plugin for Nullsoft Scriptable Install System (NSIS), as used in CERT/CC Failure Observation Engine (FOE) and other products, does not verify X.509 certificates from SSL servers, which allo…

CVSS: 4.3 CWE: CWE-310 View on NVD
2015-03-12
Medium

CVE-2015-1065

Multiple buffer overflows in iCloud Keychain in Apple iOS before 8.2 and Apple OS X through 10.10.2 allow man-in-the-middle attackers to execute arbitrary code by modifying the client-server data str…

CVSS: 5.4 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2015-03-07
Medium

CVE-2015-1597

The Siemens SPCanywhere application for Android does not use encryption during the loading of code, which allows man-in-the-middle attackers to execute arbitrary code by modifying the client-server d…

CVSS: 6.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2015-1596

The Siemens SPCanywhere application for Android and iOS does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive in…

CVSS: 5.8 CWE: CWE-310 View on NVD
Medium

CVE-2015-1595

The Siemens SPCanywhere application for Android and iOS does not use encryption during lookups of system ID to IP address mappings, which allows man-in-the-middle attackers to discover alarm IP addre…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2015-02-25
Medium

CVE-2015-0834

The WebRTC subsystem in Mozilla Firefox before 36.0 recognizes turns: and stuns: URIs but accesses the TURN or STUN server without using TLS, which makes it easier for man-in-the-middle attackers to…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2015-0832

Mozilla Firefox before 36.0 does not properly recognize the equivalence of domain names with and without a trailing . (dot) character, which allows man-in-the-middle attackers to bypass the HPKP and…

CVSS: 5.0 CWE: CWE-254 View on NVD
2015-02-24
Medium

CVE-2015-2078

The SDK for Komodia Redirector with SSL Digestor, as used in Lavasoft Ad-Aware Web Companion 1.1.885.1766 and Ad-Aware AdBlocker (alpha) 1.3.69.1, Qustodio for Windows, Atom Security, Inc. StaffCop 5…

CVSS: 5.0 CWE: CWE-310 View on NVD
Medium

CVE-2015-2077

The SDK for Komodia Redirector with SSL Digestor, as used in Lavasoft Ad-Aware Web Companion 1.1.885.1766 and Ad-Aware AdBlocker (alpha) 1.3.69.1, Qustodio for Windows, Atom Security, Inc. StaffCop 5…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2015-02-11
Low

CVE-2015-0009

The Group Policy Security Configuration policy implementation in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windo…

CVSS: 3.3 CWE: CWE-254 View on NVD
2015-02-10
Medium

CVE-2015-1571

The CAPWAP DTLS protocol implementation in Fortinet FortiOS 5.0 Patch 7 build 4457 uses the same certificate and private key across different customers' installations, which makes it easier for man-i…

CVSS: 4.3 CWE: CWE-310 View on NVD
Medium

CVE-2015-1570

The Endpoint Control protocol implementation in Fortinet FortiClient 5.2.3.091 for Android and 5.2.028 for iOS does not validate certificates, which makes it easier for man-in-the-middle attackers to…

CVSS: 4.3 CWE: CWE-310 View on NVD
Medium

CVE-2015-1569

Fortinet FortiClient 5.2.028 for iOS does not validate certificates, which makes it easier for man-in-the-middle attackers to spoof SSL VPN servers via a crafted certificate.

CVSS: 4.3 CWE: CWE-310 View on NVD
2015-02-03
High

CVE-2014-8779

Pexip Infinity before 8 uses the same SSH host keys across different customers' installations, which allows man-in-the-middle attackers to spoof Management and Conferencing Nodes by leveraging these…

CVSS: 7.1 CWE: CWE-254 View on NVD
2015-02-02
High

CVE-2015-1454

Blue Coat ProxyClient before 3.3.3.3 and 3.4.x before 3.4.4.10 and Unified Agent before 4.1.3.151952 does not properly validate certain certificates, which allows man-in-the-middle attackers to spoof…

CVSS: 7.1 CWE: CWE-310 View on NVD
Medium

CVE-2014-8918

IBM Security AppScan Standard 8.x and 9.x before 9.0.1.1 FP1 does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensiti…

CVSS: 5.8 CWE: CWE-310 View on NVD
2015-02-01
Medium

CVE-2014-4632

VMware vSphere Data Protection (VDP) 5.1, 5.5 before 5.5.9, and 5.8 before 5.8.1 and the proxy client in EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x do not properly ver…

CVSS: 4.3 CWE: CWE-310 View on NVD
2015-01-22
Medium

CVE-2014-7948

The AppCacheUpdateJob::URLFetcher::OnResponseStarted function in content/browser/appcache/appcache_update_job.cc in Google Chrome before 40.0.2214.91 proceeds with AppCache caching for SSL sessions e…

CVSS: 4.3 CWE: CWE-310 View on NVD
2015-01-15
Medium

CVE-2014-8151

The darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL (aka SecureTransport) back-end for TLS, does not check if a cached TLS ses…

CVSS: 5.8 CWE: N/A View on NVD
2014-12-30
Medium

CVE-2014-4630

EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.6 and RSA BSAFE SSL-J before 6.1.4 do not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotia…

CVSS: 4.3 CWE: CWE-310 View on NVD
2014-12-29
Medium

CVE-2014-3556

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-i…

CVSS: 6.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2014-12-16
Critical

CVE-2014-4936

The upgrade functionality in Malwarebytes Anti-Malware (MBAM) consumer before 2.0.3 and Malwarebytes Anti-Exploit (MBAE) consumer 1.04.1.1012 and earlier allow man-in-the-middle attackers to execute…

CVSS: 9.3 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2014-12-12
Medium

CVE-2014-9365

The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check…

CVSS: 5.8 CWE: N/A View on NVD
2014-12-10
Medium

CVE-2014-8730

The SSL profiles component in F5 BIG-IP LTM, APM, and ASM 10.0.0 through 10.2.4 and 11.0.0 through 11.5.1, AAM 11.4.0 through 11.5.1, AFM 11.3.0 through 11.5.1, Analytics 11.0.0 through 11.5.1, Edge…

CVSS: 4.3 CWE: CWE-310 View on NVD
2014-12-08
Medium

CVE-2014-8371

VMware vCenter Server Appliance (vCSA) 5.5 before Update 2, 5.1 before Update 3, and 5.0 before Update 3c does not properly validate certificates when connecting to a CIM Server on an ESXi host, whic…

CVSS: 4.3 CWE: CWE-310 View on NVD
2014-11-28
Medium

CVE-2014-4883

resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1 and earlier, does not use random values for ID fields and source ports of DNS query packets, which makes it easier for…

CVSS: 4.3 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2014-11-17
Medium

CVE-2014-5277

Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain auth…

CVSS: 5.0 CWE: CWE-17 View on NVD
2014-11-14
Medium

CVE-2014-7991

The Remote Mobile Access Subsystem in Cisco Unified Communications Manager (CM) 10.0(1) and earlier does not properly validate the Subject Alternative Name (SAN) field of an X.509 certificate, which…

CVSS: 4.3 CWE: CWE-310 View on NVD
2014-11-04
High

CVE-2014-2718

ASUS RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, RT-N56U, and possibly other RT-series routers before firmware 3.0.0.4.376.x do not verify the integrity of firmware (…

CVSS: 7.1 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2014-10-29
Medium

CVE-2014-8538

The Hijab Modern (aka com.Aisyaidea.HijabModern) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain…

CVSS: 5.4 CWE: CWE-310 View on NVD
Medium

CVE-2014-3694

The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of…

CVSS: 6.4 CWE: CWE-310 View on NVD
Medium

CVE-2014-3051

The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before 7.2.0.3 IF28, 7.3 before 7.3.0.1 IF30, and 7.4 before 7.4.0.0 IF18 doe…

CVSS: 4.3 CWE: CWE-310 View on NVD