CVE Daily
← All tags

Tag: Mitm

All CVEs associated with "Mitm". Page 4/32 • 3809 CVEs.

Subscribe CVEs: RSS for “Mitm”  ·  RSS (High+Critical only)

About “Mitm”

A curated feed of “Mitm”-related CVEs appears below. We currently track 3809 CVEs for this tag (all time). In the last 365 days, 218 were published. Average CVSS is 6.1 (all time; 6.6 over 365d), and 25% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-295 - Improper Certificate Validation, CWE-319 - Cleartext Transmission of Sensitive Information, CWE-297 - Improper Validation of Certificate with Host Mismatch.

In our taxonomy this topic maps to a MODERATE impact class. Common exploitation patterns for this weakness can lead to moderate. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2024-07-09
Medium

CVE-2024-33509

An improper certificate validation vulnerability [CWE-295] in FortiWeb 7.2.0 through 7.2.1, 7.0 all versions, 6.4 all versions and 6.3 all versions may allow a remote and unauthenticated attacker in…

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2023-50179

An improper certificate validation vulnerability [CWE-295] in FortiADC 7.4.0, 7.2 all versions, 7.1 all versions, 7.0 all versions may allow a remote and unauthenticated attacker to perform a Man-in-…

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2023-50178

An improper certificate validation vulnerability [CWE-295] in FortiADC 7.4.0, 7.2.0 through 7.2.3, 7.1 all versions, 7.0 all versions, 6.2 all versions, 6.1 all versions and 6.0 all versions may allo…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2024-38867

A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions < V9.64), SIPROTEC 5 6MD85 (CP200) (All versions), SIPROTEC 5 6MD85 (CP300) (All versions < V9.64), SIPROTEC 5 6MD86 (CP2…

CVSS: 5.9 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
2024-06-28
High

CVE-2024-39350

A vulnerability regarding authentication bypass by spoofing is found in the RTSP functionality. This allows man-in-the-middle attackers to obtain privileges without consent via unspecified vectors. T…

CVSS: 7.5 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
High

CVE-2024-39348

Download of code without integrity check vulnerability in AirPrint functionality in Synology Router Manager (SRM) before 1.2.5-8227-11 and 1.3.1-9346-8 allows man-in-the-middle attackers to execute a…

CVSS: 7.5 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
Medium

CVE-2024-39347

Incorrect default permissions vulnerability in firewall functionality in Synology Router Manager (SRM) before 1.2.5-8227-11 and 1.3.1-9346-8 allows man-in-the-middle attackers to access highly sensit…

CVSS: 5.9 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2024-06-27
Medium

CVE-2024-36755

D-Link DIR-1950 up to v1.11B03 does not validate SSL certificates when requesting the latest firmware version and downloading URL. This can allow attackers to downgrade the firmware version or change…

CVSS: 6.8 CWE: CWE-599 - Missing Validation of OpenSSL Certificate View on NVD
2024-06-26
Medium

CVE-2024-38271

There exists a vulnerability in Quick Share/Nearby, where an attacker can force a victim to stay connected to a temporary hotspot created for the sharing. As part of the sequence of packets in a Quic…

CVSS: 4.8 CWE: CWE-404 - Improper Resource Shutdown or Release View on NVD
Medium

CVE-2024-29175

Dell PowerProtect Data Domain, versions prior to 7.13.0.0, LTS 7.7.5.40, LTS 7.10.1.30 contain an weak cryptographic algorithm vulnerability. A remote unauthenticated attacker could potentially explo…

CVSS: 5.9 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2024-06-18
High

CVE-2024-5275

A hard-coded password in the FileCatalyst TransferAgent can be found which can be used to unlock the keystore from which contents may be read out, for example, the private key for certificates. Explo…

CVSS: 7.8 CWE: CWE-259 - Use of Hard-coded Password View on NVD
2024-06-17
Medium

CVE-2024-36289

Reusing a nonce, key pair in encryption issue exists in "FreeFrom - the nostr client" App versions prior to 1.3.5 for Android and iOS. If this vulnerability is exploited, the content of direct messag…

CVSS: 5.3 CWE: CWE-323 - Reusing a Nonce, Key Pair in Encryption View on NVD
Medium

CVE-2024-36279

Reliance on obfuscation or encryption of security-relevant inputs without integrity checking issue exists in "FreeFrom - the nostr client" App versions prior to 1.3.5 for Android and iOS. If this vul…

CVSS: 5.3 CWE: CWE-649 - Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking View on NVD
2024-06-14
Medium

CVE-2024-21988

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.7.0.9 and 11.8.0.5 are susceptible to disclosure of sensitive information via complex MiTM attacks due to a vulnerability in the SSH…

CVSS: 5.3 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
2024-06-02
Critical

CVE-2024-36391

MileSight DeviceHub - CWE-320: Key Management Errors may allow Authentication Bypass and Man-In-The-Middle Traffic

CVSS: 9.1 CWE: CWE-320 View on NVD
2024-05-26
High

CVE-2024-34454

Nintendo Wii U OS 5.5.5 allows man-in-the-middle attackers to forge SSL certificates as though they came from a Root CA, because there is a secondary verification mechanism that only checks whether a…

CVSS: 7.4 CWE: CWE-269 - Improper Privilege Management View on NVD
2024-05-22
Medium

CVE-2024-31340

TP-Link Tether versions prior to 4.5.13 and TP-Link Tapo versions prior to 3.3.6 do not properly validate certificates, which may allow a remote unauthenticated attacker to eavesdrop on an encrypted…

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2024-05-21
High

CVE-2024-35061

NASA AIT-Core v2.5.2 was discovered to use unencrypted channels to exchange data over the network, allowing attackers to execute a man-in-the-middle attack. When chained with CVE-2024-35059, the CVE…

CVSS: 7.3 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2024-05-18
Medium

CVE-2024-34083

aiosmptd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if…

CVSS: 5.4 CWE: CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data View on NVD
2024-05-14
Medium

CVE-2024-4871

A vulnerability was found in Satellite. When running a remote execution job on a host, the host's SSH key is not being checked. When the key changes, the Satellite still connects it because it uses "…

CVSS: 6.8 CWE: CWE-322 - Key Exchange without Entity Authentication View on NVD
Critical

CVE-2024-30209

A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS L…

CVSS: 9.6 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
High

CVE-2024-28134

An unauthenticated remote attacker can extract a session token with a MitM attack and gain web-based management access with the privileges of the currently logged in user due to cleartext transmissio…

CVSS: 7.0 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2024-05-03
High

CVE-2024-34447

An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6) and before BC FIPS TLS Java 1.0.19. When endpoint identi…

CVSS: 7.5 CWE: CWE-297 - Improper Validation of Certificate with Host Mismatch View on NVD
2024-05-01
Medium

CVE-2022-38386

IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite for Software 1.10.12.0 through 1.10.19.0 does not set the SameSite attribute for sensitive cookies which could allow…

CVSS: 5.9 CWE: CWE-1275 - Sensitive Cookie with Improper SameSite Attribute View on NVD
2024-04-30
Medium

CVE-2020-5200

Minerbabe through V4.16 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io.

CVSS: 5.9 CWE: N/A View on NVD
Critical

CVE-2019-19755

ethOS through 1.3.3 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io. NOTE:…

CVSS: 9.1 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2019-19754

HiveOS through 0.6-102@191212 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.…

CVSS: 5.7 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
Critical

CVE-2019-19753

SimpleMiningOS through v1259 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.i…

CVSS: 9.1 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
Critical

CVE-2019-19752

nvOC through 3.2 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io. NOTE: as…

CVSS: 9.8 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
Medium

CVE-2019-19751

easyMINE before 2019-12-05 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io.

CVSS: 5.6 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
2024-04-19
Medium

CVE-2024-29960

In Brocade SANnav server before v2.3.1 and v2.3.0a, the SSH keys inside the OVA image are identical in the VM every time SANnav is installed. Any Brocade SAnnav VM based on the official OVA images is…

CVSS: 6.8 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
2024-04-17
High

CVE-2024-29950

The class FileTransfer implemented in Brocade SANnav before v2.3.1, v2.3.0a, uses the ssh-rsa signature scheme, which has a SHA-1 hash. The vulnerability could allow a remote, unauthenticated attacke…

CVSS: 7.5 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
2024-04-10
Medium

CVE-2024-3387

A weak (low bit strength) device certificate in Palo Alto Networks Panorama software enables an attacker to perform a meddler-in-the-middle (MitM) attack to capture encrypted traffic between the Pano…

CVSS: 5.3 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
High

CVE-2024-31872

IBM Security Verify Access Appliance 10.0.0 through 10.0.7 could allow a malicious actor to conduct a man in the middle attack when deploying Open Source scripts due to missing certificate validation…

CVSS: 7.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2024-31871

IBM Security Verify Access Appliance 10.0.0 through 10.0.7 could allow a malicious actor to conduct a man in the middle attack when deploying Python scripts due to improper certificate validation. I…

CVSS: 7.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2024-04-04
High

CVE-2024-31206

dectalk-tts is a Node package to interact with the aeiou Dectalk web API. In `[email protected]`, network requests to the third-party API are sent over HTTP, which is unencrypted. Unencrypted traffic…

CVSS: 8.2 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
2024-03-28
Low

CVE-2023-45706

An administrative user of WebReports may perform a Cross Site Scripting (XSS) and/or Man in the Middle (MITM) exploit through SAML configuration.

CVSS: 2.0 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2024-03-27
High

CVE-2024-29887

Serverpod is an app and web server, built for the Flutter and Dart ecosystem. This bug bypassed the validation of TSL certificates on all none web HTTP clients in the `serverpod_client` package. Maki…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2024-28860

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the t…

CVSS: 8.0 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
2024-03-21
Medium

CVE-2024-28756

The SolarEdge mySolarEdge application before 2.20.1 for Android has a certificate verification issue that allows a Machine-in-the-middle (MitM) attacker to read and alter all network traffic between…

CVSS: 5.9 CWE: CWE-125 - Out-of-bounds Read View on NVD
2024-03-20
Medium

CVE-2023-35888

IBM Security Verify Governance 10.0.2 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit…

CVSS: 5.9 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2024-03-19
Medium

CVE-2024-2307

A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing un…

CVSS: 6.1 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
2024-03-13
Medium

CVE-2024-27440

The Toyoko Inn official App for iOS versions prior to 1.13.0 and Toyoko Inn official App for Android versions prior 1.3.14 don't properly verify server certificates, which allows a man-in-the-middle…

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2024-03-12
High

CVE-2024-26288

An unauthenticated remote attacker can influence the communication due to the lack of encryption of sensitive data via a MITM. Charging is not affected.

CVSS: 8.7 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2024-03-03
Medium

CVE-2023-47742

IBM QRadar Suite Products 1.10.12.0 through 1.10.18.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 could disclose sensitive information using man in the middle techniques due to not corr…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2024-02-29
Medium

CVE-2021-39090

IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.6.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An…

CVSS: 5.9 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2024-02-20
Medium

CVE-2021-29038

Liferay Portal 7.2.0 through 7.3.5, and older unsupported versions, and Liferay DXP 7.3 before fix pack 1, 7.2 before fix pack 17, and older unsupported versions does not obfuscate password reminder…

CVSS: 6.3 CWE: CWE-640 - Weak Password Recovery Mechanism for Forgotten Password View on NVD
Medium

CVE-2024-26270

The Account Settings page in Liferay Portal 7.4.3.76 through 7.4.3.99, and Liferay DXP 2023.Q3 before patch 5, and 7.4 update 76 through 92 embeds the user’s hashed password in the page’s HTML source…

CVSS: 6.5 CWE: CWE-201 - Insertion of Sensitive Information Into Sent Data View on NVD
High

CVE-2023-49250

Because the HttpUtils class did not verify certificates, an attacker that could perform a Man-in-the-Middle (MITM) attack on outgoing https connections could impersonate the server. This issue affec…

CVSS: 7.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
2024-02-15
Critical

CVE-2024-23674

The Online-Ausweis-Funktion eID scheme in the German National Identity card through 2024-02-15 allows authentication bypass by spoofing. A man-in-the-middle attacker can assume a victim's identify fo…

CVSS: 9.6 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Medium

CVE-2023-47537

An improper certificate validation vulnerability in Fortinet FortiOS 7.4.0 through 7.4.1, FortiOS 7.2.0 through 7.2.6, FortiOS 7.0.0 through 7.0.15, FortiOS 6.4 all versions allows a remote and unau…

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2024-02-14
High

CVE-2023-6408

CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability exists that could cause a denial of service and loss of confidentiality, integrity of c…

CVSS: 8.1 CWE: CWE-924 - Improper Enforcement of Message Integrity During Transmission in a Communication Channel View on NVD
2024-02-05
Critical

CVE-2024-0323

The FTP server used on the B&R Automation Runtime supports unsecure encryption mechanisms, such as SSLv3, TLSv1.0 and TLS1.1. An network-based attacker can exploit the flaws to conduct man-in-the-mid…

CVSS: 9.8 CWE: CWE-1240 - Use of a Cryptographic Primitive with a Risky Implementation View on NVD
2024-02-03
High

CVE-2023-31004

IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a remote attacker to…

CVSS: 8.3 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
2024-02-01
High

CVE-2023-47257

ConnectWise ScreenConnect through 23.8.4 allows man-in-the-middle attackers to achieve remote code execution via crafted messages.

CVSS: 8.1 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2024-01-31
Medium

CVE-2023-50356

SSL connections to some LDAP servers are vulnerable to a man-in-the-middle attack due to improper certificate validation in AREAL Topkapi Vision (Server). This allows a remote unauthenticated attacke…

CVSS: 6.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2024-01-25
High

CVE-2023-40547

A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malici…

CVSS: 8.3 CWE: CWE-787 - Out-of-bounds Write View on NVD
Medium

CVE-2023-33760

SpliceCom Maximiser Soft PBX v1.5 and before was discovered to utilize a default SSL certificate. This issue can allow attackers to eavesdrop on communications via a man-in-the-middle attack.

CVSS: 5.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2023-33757

A lack of SSL certificate validation in Splicecom iPCS (iOS App) v1.3.4, iPCS2 (iOS App) v2.8 and before, and iPCS (Android App) v1.8.5 and before allows attackers to eavesdrop on communications via…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2023-12-20
Medium

CVE-2023-50703

An attacker with network access could perform a man-in-the-middle (MitM) attack and capture sensitive information to gain unauthorized access to the application.

CVSS: 6.3 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2023-12-18
Medium

CVE-2023-35867

An improper handling of a malformed API answer packets to API clients in Bosch BT software products can allow an unauthenticated attacker to cause a Denial of Service (DoS) situation. To exploit this…

CVSS: 5.9 CWE: CWE-703 - Improper Check or Handling of Exceptional Conditions View on NVD
2023-12-14
High

CVE-2023-42801

Moonlight-common-c contains the core GameStream client code shared between Moonlight clients. Moonlight-common-c is vulnerable to buffer overflow starting in commit f57bd745b4cbed577ea654fad4701bea4d…

CVSS: 7.6 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
2023-12-10
Medium

CVE-2023-50454

An issue was discovered in Zammad before 6.2.0. In several subsystems, SSL/TLS was used to establish connections to external services without proper validation of hostname and certificate authority.…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2023-12-05
High

CVE-2023-45842

Multiple data integrity vulnerabilities exist in the package hash checking functionality of Buildroot 2023.08.1 and Buildroot dev commit 622698d7847. A specially crafted man-in-the-middle attack can…

CVSS: 8.1 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
High

CVE-2023-45841

Multiple data integrity vulnerabilities exist in the package hash checking functionality of Buildroot 2023.08.1 and Buildroot dev commit 622698d7847. A specially crafted man-in-the-middle attack can…

CVSS: 8.1 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
High

CVE-2023-45840

Multiple data integrity vulnerabilities exist in the package hash checking functionality of Buildroot 2023.08.1 and Buildroot dev commit 622698d7847. A specially crafted man-in-the-middle attack can…

CVSS: 8.1 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
High

CVE-2023-45839

Multiple data integrity vulnerabilities exist in the package hash checking functionality of Buildroot 2023.08.1 and Buildroot dev commit 622698d7847. A specially crafted man-in-the-middle attack can…

CVSS: 8.1 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
High

CVE-2023-45838

Multiple data integrity vulnerabilities exist in the package hash checking functionality of Buildroot 2023.08.1 and Buildroot dev commit 622698d7847. A specially crafted man-in-the-middle attack can…

CVSS: 8.1 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
High

CVE-2023-43608

A data integrity vulnerability exists in the BR_NO_CHECK_HASH_FOR functionality of Buildroot 2023.08.1 and dev commit 622698d7847. A specially crafted man-in-the-middle attack can lead to arbitrary c…

CVSS: 8.1 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
Medium

CVE-2023-42579

Improper usage of insecure protocol (i.e. HTTP) in SogouSDK of Chinese Samsung Keyboard prior to versions 5.3.70.1 in Android 11, 5.4.60.49, 5.4.85.5, 5.5.00.58 in Android 12, and 5.6.00.52, 5.6.10.4…

CVSS: 6.5 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2023-12-04
High

CVE-2023-40464

Several versions of ALEOS, including ALEOS 4.16.0, use a hardcoded SSL certificate and private key. An attacker with access to these items could potentially perform a man in the middle attack b…

CVSS: 8.1 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
2023-11-28
Medium

CVE-2023-24023

Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key lengt…

CVSS: 6.8 CWE: N/A View on NVD
2023-11-22
High

CVE-2023-43082

Dell Unity prior to 5.3 contains a 'man in the middle' vulnerability in the vmadapter component. If a customer has a certificate signed by a third-party public Certificate Authority, the vCenter CA c…

CVSS: 8.6 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2023-3103

Authentication bypass vulnerability, the exploitation of which could allow a local attacker to perform a Man-in-the-Middle (MITM) attack on the robot's camera video stream. In addition, if a MITM att…

CVSS: 8.0 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
2023-11-16
High

CVE-2023-48054

Missing SSL certificate validation in localstack v2.3.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2023-48052

Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2023-11-15
Medium

CVE-2023-46121

yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the…

CVSS: 5.0 CWE: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') View on NVD
2023-11-14
Medium

CVE-2023-46445

An issue in AsyncSSH before 2.14.1 allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack, aka a "Rogue Extension Negotiation."

CVSS: 5.9 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2023-10-31
High

CVE-2016-1203

Improper file verification vulnerability in SaAT Netizen installer ver.1.2.0.424 and earlier, and SaAT Netizen ver.1.2.0.8 (Build427) and earlier allows a remote unauthenticated attacker to conduct a…

CVSS: 8.1 CWE: N/A View on NVD
Medium

CVE-2015-2968

LINE@ for Android version 1.0.0 and LINE@ for iOS version 1.0.0 are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a result, any API may be…

CVSS: 5.9 CWE: CWE-924 - Improper Enforcement of Message Integrity During Transmission in a Communication Channel View on NVD
Medium

CVE-2015-0897

LINE for Android version 5.0.2 and earlier and LINE for iOS version 5.0.0 and earlier are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a r…

CVSS: 5.9 CWE: CWE-924 - Improper Enforcement of Message Integrity During Transmission in a Communication Channel View on NVD
2023-10-19
High

CVE-2022-24400

A flaw in the TETRA authentication procecure allows a MITM adversary that can predict the MS challenge RAND2 to set session key DCK to zero.

CVSS: 7.5 CWE: CWE-807 - Reliance on Untrusted Inputs in a Security Decision View on NVD
2023-10-17
Medium

CVE-2022-3761

OpenVPN Connect versions before 3.4.0.4506 (macOS) and OpenVPN Connect before 3.4.0.3100 (Windows) allows man-in-the-middle attackers to intercept configuration profile download requests which contai…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2022-22386

IBM Security Verify Privilege On-Premises 11.5 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker coul…

CVSS: 5.3 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
Medium

CVE-2022-22377

IBM Security Verify Privilege On-Premises 11.5 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker coul…

CVSS: 5.3 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2023-10-14
Medium

CVE-2022-33161

IBM Security Directory Server 6.4.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit t…

CVSS: 5.3 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2023-10-12
High

CVE-2023-32634

An authentication bypass vulnerability exists in the CiRpcServerThread() functionality of SoftEther VPN 5.01.9674 and 4.41-9782-beta. An attacker can perform a local man-in-the-middle attack to trigg…

CVSS: 7.8 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
Medium

CVE-2023-31192

An information disclosure vulnerability exists in the ClientConnect() functionality of SoftEther VPN 5.01.9674. A specially crafted network packet can lead to a disclosure of sensitive information. A…

CVSS: 5.3 CWE: CWE-457 - Use of Uninitialized Variable View on NVD
Critical

CVE-2023-27395

A heap-based buffer overflow vulnerability exists in the vpnserver WpcParsePacket() functionality of SoftEther VPN 4.41-9782-beta, 5.01.9674 and 5.02. A specially crafted network packet can lead to a…

CVSS: 9.0 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
Medium

CVE-2023-22325

A denial of service vulnerability exists in the DCRegister DDNS_RPC_MAX_RECV_SIZE functionality of SoftEther VPN 4.41-9782-beta, 5.01.9674 and 5.02. A specially crafted network packet can lead to den…

CVSS: 5.9 CWE: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop') View on NVD
2023-10-04
High

CVE-2023-4586

A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM)…

CVSS: 7.4 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2023-37404

IBM Observability with Instana 1.0.243 through 1.0.254 could allow an attacker on the network to execute arbitrary code on the host after a successful DNS poisoning attack. IBM X-Force ID: 259789.

CVSS: 6.4 CWE: N/A View on NVD
2023-10-03
Medium

CVE-2023-4885

Man in the Middle vulnerability, which could allow an attacker to intercept VNF (Virtual Network Function) communications resulting in the exposure of sensitive information.

CVSS: 6.5 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
2023-09-21
Medium

CVE-2023-39252

Dell SCG Policy Manager 5.16.00.14 contains a broken cryptographic algorithm vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by performing MitM attacks an…

CVSS: 5.9 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2023-09-19
High

CVE-2023-38356

MiniTool Power Data Recovery 11.6 contains an insecure installation process that allows attackers to achieve remote code execution through a man in the middle attack.

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2023-38355

MiniTool Movie Maker 7.0 contains an insecure installation process that allows attackers to achieve remote code execution through a man in the middle attack.

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2023-38354

MiniTool Shadow Maker version 4.1 contains an insecure installation process that allows attackers to achieve remote code execution through a man in the middle attack.

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2023-38353

MiniTool Power Data Recovery version 11.6 and before contains an insecure in-app payment system that allows attackers to steal highly sensitive information through a man in the middle attack.

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2023-38352

MiniTool Partition Wizard 12.8 contains an insecure update mechanism that allows attackers to achieve remote code execution through a man in the middle attack.

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2023-38351

MiniTool Partition Wizard 12.8 contains an insecure installation mechanism that allows attackers to achieve remote code execution through a man in the middle attack.

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2023-09-13
High

CVE-2023-4801

An improper certification validation vulnerability in the Insider Threat Management (ITM) Agent for MacOS could be used by an anonymous actor on an adjacent network to establish a man-in-the-middle p…

CVSS: 7.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2023-09-08
Medium

CVE-2022-22405

IBM Aspera Faspex 5.0.5 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerab…

CVSS: 5.9 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2023-09-05
Medium

CVE-2023-22870

IBM Aspera Faspex 5.0.5 transmits sensitive information in cleartext which could be obtained by an attacker using man in the middle techniques. IBM X-Force ID: 244121.

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2023-09-02
High

CVE-2023-39982

A vulnerability has been identified in MXsecurity versions prior to v1.0.1. The vulnerability may put the confidentiality and integrity of SSH communications at risk on the affected device. This vuln…

CVSS: 7.5 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
2023-09-01
Medium

CVE-2022-22305

An improper certificate validation vulnerability [CWE-295] in FortiManager 7.0.1 and below, 6.4.6 and below; FortiAnalyzer 7.0.2 and below, 6.4.7 and below; FortiOS 6.2.x and 6.0.x; FortiSandbox 4.0.…

CVSS: 5.4 CWE: CWE-297 - Improper Validation of Certificate with Host Mismatch View on NVD
2023-08-31
Low

CVE-2023-41045

Graylog is a free and open log management platform. Graylog makes use of only one single source port for DNS queries. Graylog binds a single socket for outgoing DNS queries and while that socket is b…

CVSS: 3.7 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2023-08-28
High

CVE-2023-34758

Sliver from v1.5.x to v1.5.39 has an improper cryptographic implementation, which allows attackers to execute a man-in-the-middle attack via intercepted and crafted responses.

CVSS: 8.1 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2023-08-24
Critical

CVE-2023-4420

A remote unprivileged attacker can intercept the communication via e.g. Man-In-The-Middle, due to the absence of Transport Layer Security (TLS) in the SICK LMS5xx. This lack of encryption in the comm…

CVSS: 9.8 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2023-08-23
Medium

CVE-2023-39441

Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability. The default…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2023-08-22
High

CVE-2021-35309

An issue discovered in Samsung SyncThru Web Service SPL 5.93 06-09-2014 allows attackers to gain escalated privileges via MITM attacks.

CVSS: 7.5 CWE: CWE-269 - Improper Privilege Management View on NVD
2023-08-17
Medium

CVE-2023-40251

Missing Encryption of Sensitive Data vulnerability in Genians Genian NAC V4.0, Genians Genian NAC V5.0, Genians Genian NAC Suite V5.0, Genians Genian ZTNA allows Man in the Middle Attack.This issue a…

CVSS: 5.2 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2023-08-10
Medium

CVE-2023-39953

user_oidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, missing verification of the issuer would have allo…

CVSS: 4.8 CWE: CWE-303 - Incorrect Implementation of Authentication Algorithm View on NVD
2023-08-04
Critical

CVE-2023-38686

Sydent is an identity server for the Matrix communications protocol. Prior to version 2.5.6, if configured to send emails using TLS, Sydent does not verify SMTP servers' certificates. This makes Syd…

CVSS: 9.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
2023-08-03
Low

CVE-2023-26979

Bluetens Electrostimulation Device BluetensQ device app version 4.3.15 is vulnerable to Man-in-the-middle attacks in the BLE channel. It allows attackers to decrease or increase the intensity of the…

CVSS: 3.1 CWE: CWE-924 - Improper Enforcement of Message Integrity During Transmission in a Communication Channel View on NVD
2023-07-29
Low

CVE-2022-4923

Inappropriate implementation in Omnibox in Google Chrome prior to 99.0.4844.51 allowed an attacker in a privileged network position to perform a man-in-the-middle attack via malicious network traffic…

CVSS: 3.1 CWE: N/A View on NVD
2023-07-20
Medium

CVE-2023-3347

A vulnerability was found in Samba's SMB2 packet signing mechanism. The SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Contro…

CVSS: 5.9 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
2023-07-19
Medium

CVE-2023-3782

DoS of the OkHttp client when using a BrotliInterceptor and surfing to a malicious web server, or when an attacker can perform MitM to inject a Brotli zip-bomb into an HTTP response

CVSS: 5.9 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2023-07-18
Medium

CVE-2023-34143

Improper Validation of Certificate with Host Mismatch vulnerability in Hitachi Device Manager on Windows, Linux (Device Manager Server, Device Manager Agent, Host Data Collector components) allows Ma…

CVSS: 5.6 CWE: CWE-297 - Improper Validation of Certificate with Host Mismatch View on NVD
2023-07-17
Medium

CVE-2023-3581

Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket APIs.

CVSS: 6.2 CWE: CWE-346 - Origin Validation Error View on NVD
2023-07-12
Low

CVE-2023-37948

Jenkins Oracle Cloud Infrastructure Compute Plugin 1.0.16 and earlier does not validate SSH host keys when connecting OCI clouds, enabling man-in-the-middle attacks.

CVSS: 3.7 CWE: CWE-20 - Improper Input Validation View on NVD