CVE Daily
← All tags

Tag: Mitm

All CVEs associated with "Mitm". Page 5/32 • 3809 CVEs.

Subscribe CVEs: RSS for “Mitm”  ·  RSS (High+Critical only)

About “Mitm”

A curated feed of “Mitm”-related CVEs appears below. We currently track 3809 CVEs for this tag (all time). In the last 365 days, 218 were published. Average CVSS is 6.1 (all time; 6.6 over 365d), and 25% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-295 - Improper Certificate Validation, CWE-319 - Cleartext Transmission of Sensitive Information, CWE-297 - Improper Validation of Certificate with Host Mismatch.

In our taxonomy this topic maps to a MODERATE impact class. Common exploitation patterns for this weakness can lead to moderate. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2023-07-11
High

CVE-2023-36749

A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.0), RUGGEDCOM ROX MX5000RE (All versions < V2.16.0), RUGGEDCOM ROX RX1400 (All versions < V2.16.0), RUGGEDCOM ROX RX1…

CVSS: 7.4 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
Medium

CVE-2023-36748

A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.0), RUGGEDCOM ROX MX5000RE (All versions < V2.16.0), RUGGEDCOM ROX RX1400 (All versions < V2.16.0), RUGGEDCOM ROX RX1…

CVSS: 5.9 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
High

CVE-2023-31190

DroneScout ds230 Remote ID receiver from BlueMark Innovations is affected by an Improper Authentication vulnerability during the firmware update procedure. Specifically, the firmware update procedur…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2023-07-06
Medium

CVE-2023-23546

A misconfiguration vulnerability exists in the urvpn_client functionality of Milesight UR32L v32.3.0.5. A specially-crafted man-in-the-middle attack can lead to increased privileges. An attacker can…

CVSS: 4.2 CWE: CWE-295 - Improper Certificate Validation View on NVD
2023-07-05
Medium

CVE-2023-2538

A CWE-552 "Files or Directories Accessible to External Parties” in the web interface of the Tyan S5552 BMC version 3.00 allows an unauthenticated remote attacker to retrieve the private key of the TL…

CVSS: 5.8 CWE: CWE-552 - Files or Directories Accessible to External Parties View on NVD
2023-06-30
Medium

CVE-2023-35947

Gradle is a build tool with a focus on build automation and support for multi-language development. In affected versions when unpacking Tar archives, Gradle did not check that files could be written…

CVSS: 6.9 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2023-06-23
Low

CVE-2023-32464

Dell VxRail, versions prior to 7.0.450, contain an improper certificate validation vulnerability. A high privileged remote attacker may potentially exploit this vulnerability to carry out a man-in-th…

CVSS: 2.7 CWE: CWE-295 - Improper Certificate Validation View on NVD
2023-06-19
Critical

CVE-2023-31410

A remote unprivileged attacker can intercept the communication via e.g. Man-In-The-Middle, due to the absence of Transport Layer Security (TLS) in the SICK EventCam App. This lack of encryption in th…

CVSS: 9.8 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2023-06-16
Medium

CVE-2023-25187

An issue was discovered on NOKIA Airscale ASIKA Single RAN devices before 21B. Nokia Single RAN commissioning procedures do not change (factory-time installed) default SSH public/private key values t…

CVSS: 6.3 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
2023-06-14
Medium

CVE-2023-2820

An information disclosure vulnerability in the faye endpoint in Proofpoint Threat Response / Threat Response Auto-Pull (PTR/TRAP) could be used by an attacker on an adjacent network to obtain credent…

CVSS: 6.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-06-13
Medium

CVE-2023-33620

GL.iNET GL-AR750S-Ext firmware v3.215 uses an insecure protocol in its communications which allows attackers to eavesdrop via a man-in-the-middle attack.

CVSS: 5.9 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
High

CVE-2023-32548

OS command injection vulnerability exists in WPS Office version 10.8.0.6186. If a remote attacker who can conduct a man-in-the-middle attack connects the product to a malicious server and sends a spe…

CVSS: 8.1 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2023-31195

ASUS Router RT-AX3000 Firmware versions prior to 3.0.0.4.388.23403 uses sensitive cookies without 'Secure' attribute. When an attacker is in a position to be able to mount a man-in-the-middle attack,…

CVSS: 5.3 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Medium

CVE-2023-29501

Jiyu Kukan Toku-Toku coupon App for iOS versions 3.5.0 and earlier, and Jiyu Kukan Toku-Toku coupon App for Android versions 3.5.0 and earlier are vulnerable to improper server certificate verificati…

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2023-29175

An improper certificate validation vulnerability [CWE-295] in FortiOS 6.2 all versions, 6.4 all versions, 7.0.0 through 7.0.10, 7.2.0 and FortiProxy 1.2 all versions, 2.0 all versions, 7.0.0 through…

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2023-06-07
Low

CVE-2023-33849

IBM TXSeries for Multiplatforms 8.1, 8.2, 9.1, CICS TX Standard, 11.1, CICS TX Advanced 10.1, and 11.1 could transmit sensitive information in query parameters that could be intercepted using man in…

CVSS: 3.7 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2023-06-05
Medium

CVE-2023-27861

IBM Maximo Application Suite - Manage Component 8.8.0 and 8.9.0 transmits sensitive information in cleartext that could be intercepted by an attacker using man in the middle techniques. IBM X-Force…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2023-05-31
High

CVE-2023-28348

An issue was discovered in Faronics Insight 10.0.19045 on Windows. A suitably positioned attacker could perform a man-in-the-middle attack on either a connected student or teacher, enabling them to i…

CVSS: 7.4 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2023-05-24
High

CVE-2023-33983

The Introduction Client in Briar through 1.5.3 does not implement out-of-band verification for the public keys of introducees. An introducer can launch man-in-the-middle attacks against later private…

CVSS: 7.4 CWE: CWE-862 - Missing Authorization View on NVD
2023-05-16
Low

CVE-2023-32994

Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata, which…

CVSS: 3.7 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2023-32993

Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused usi…

CVSS: 4.8 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
High

CVE-2023-32955

Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in DHCP Client Functionality in Synology Router Manager (SRM) before 1.2.5-8227-6 and 1.3.1-93…

CVSS: 8.1 CWE: N/A View on NVD
2023-05-10
Medium

CVE-2023-31151

An Improper Certificate Validation vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote unauthenticated attacker t…

CVSS: 4.7 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2023-2310

A Channel Accessible by Non-Endpoint vulnerability in the Schweitzer Engineering Laboratories SEL Real-Time Automation Controller (RTAC) could allow a remote attacker to perform a man-in-the-middle (…

CVSS: 6.8 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
2023-05-09
Low

CVE-2023-31136

PostgresNIO is a Swift client for PostgreSQL. Any user of PostgresNIO prior to version 1.14.2 connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false resp…

CVSS: 3.7 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2023-05-04
High

CVE-2023-30399

Insecure permissions in the settings page of GARO Wallbox GLB/GTB/GTC before v189 allows attackers to redirect users to a crafted update package link via a man-in-the-middle attack.

CVSS: 8.1 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2023-05-03
Medium

CVE-2022-45858

A use of a weak cryptographic algorithm vulnerability [CWE-327] in FortiNAC 9.4.1 and below, 9.2.6 and below, 9.1.0 all versions, 8.8.0 all versions, 8.7.0 all versions may increase the chances of an…

CVSS: 4.2 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
Medium

CVE-2022-39161

IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and IBM WebSphere Application Server Liberty, when configured to communicate with the Web Server Plug-ins for IBM WebSphere Application Server, co…

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2023-04-27
Critical

CVE-2022-47758

Nanoleaf firmware v7.1.1 and below is missing TLS verification, allowing attackers to execute arbitrary code via a DNS hijacking attack.

CVSS: 9.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2023-04-11
High

CVE-2023-22642

An improper certificate validation vulnerability [CWE-295] in FortiAnalyzer and FortiManager 7.2.0 through 7.2.1, 7.0.0 through 7.0.5, 6.4.8 through 6.4.10 may allow a remote and unauthenticated atta…

CVSS: 7.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2023-29054

A vulnerability has been identified in SCALANCE X200-4P IRT (All versions < V5.5.2), SCALANCE X201-3P IRT (All versions < V5.5.2), SCALANCE X201-3P IRT PRO (All versions < V5.5.2), SCALANCE X202-2IRT…

CVSS: 6.7 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
Medium

CVE-2023-23588

A vulnerability has been identified in SIMATIC IPC1047 (All versions), SIMATIC IPC1047E (All versions with maxView Storage Manager < 4.09.00.25611 on Windows), SIMATIC IPC647D (All versions), SIMATIC…

CVSS: 6.2 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-04-10
Medium

CVE-2023-26467

A man in the middle can redirect traffic to a malicious server in a compromised configuration.

CVSS: 5.4 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2023-03-24
High

CVE-2023-22812

SanDisk PrivateAccess versions prior to 6.4.9 support insecure TLS 1.0 and TLS 1.1 protocols which are susceptible to man-in-the-middle attacks thereby compromising confidentiality and integrity of d…

CVSS: 7.4 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2023-03-23
Medium

CVE-2023-20081

A vulnerability in the IPv6 DHCP (DHCPv6) client module of Cisco Adaptive Security Appliance (ASA) Software, Cisco Firepower Threat Defense (FTD) Software, Cisco IOS Software, and Cisco IOS XE Softwa…

CVSS: 6.8 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
2023-03-21
Medium

CVE-2022-38458

A cleartext transmission vulnerability exists in the Remote Management functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted man-in-the-middle attack can lead to a disclosure of se…

CVSS: 6.5 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2023-03-17
High

CVE-2021-21548

Dell EMC Unisphere for PowerMax versions before 9.1.0.27, Dell EMC Unisphere for PowerMax Virtual Appliance versions before 9.1.0.27, and PowerMax OS Release 5978 contain an improper certificate vali…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2023-03-15
Low

CVE-2023-26084

The armv8_dec_aes_gcm_full() API of Arm AArch64cryptolib before 86065c6 fails to the verify the authentication tag of AES-GCM protected data, leading to a man-in-the-middle attack. This occurs becaus…

CVSS: 3.7 CWE: CWE-665 - Improper Initialization View on NVD
2023-02-28
High

CVE-2022-4895

Improper Certificate Validation vulnerability in Hitachi Infrastructure Analytics Advisor on Linux (Analytics probe component), Hitachi Ops Center Analyzer on Linux (Analyzer probe component) allows…

CVSS: 8.6 CWE: CWE-295 - Improper Certificate Validation View on NVD
2023-02-17
Medium

CVE-2023-23695

Dell Secure Connect Gateway (SCG) version 5.14.00.12 contains a broken cryptographic algorithm vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by perform…

CVSS: 5.9 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2023-02-16
Medium

CVE-2022-39948

An improper certificate validation vulnerability [CWE-295] in FortiOS 7.2.0 through 7.2.3, 7.0.0 through 7.0.7, 6.4 all versions, 6.2 all versions, 6.0 all versions and FortiProxy 7.0.0 through 7.0.6…

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2022-48308

It was discovered that the sls-logging was not verifying hostnames in TLS certificates due to a misuse of the javax.net.ssl.SSLSocketFactory API. A malicious attacker in a privileged network position…

CVSS: 6.3 CWE: CWE-297 - Improper Validation of Certificate with Host Mismatch View on NVD
Medium

CVE-2022-48307

It was discovered that the Magritte-ftp was not verifying hostnames in TLS certificates due to a misuse of the javax.net.ssl.SSLSocketFactory API. A malicious attacker in a privileged network positio…

CVSS: 6.3 CWE: CWE-297 - Improper Validation of Certificate with Host Mismatch View on NVD
Medium

CVE-2022-48306

Improper Validation of Certificate with Host Mismatch vulnerability in Gotham Chat IRC helper of Palantir Gotham allows A malicious attacker in a privileged network position could abuse this to perfo…

CVSS: 5.7 CWE: CWE-297 - Improper Validation of Certificate with Host Mismatch View on NVD
Medium

CVE-2022-27890

It was discovered that the sls-logging was not verifying hostnames in TLS certificates due to a misuse of the javax.net.ssl.SSLSocketFactory API. A malicious attacker in a privileged network position…

CVSS: 6.3 CWE: CWE-297 - Improper Validation of Certificate with Host Mismatch View on NVD
2023-02-14
Medium

CVE-2022-22564

Dell EMC Unity versions before 5.2.0.0.5.173 , use(es) broken cryptographic algorithm. A remote unauthenticated attacker could potentially exploit this vulnerability by performing MitM attacks and le…

CVSS: 5.9 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
Medium

CVE-2023-25758

Onekey Touch devices through 4.0.0 and Onekey Mini devices through 2.10.0 allow man-in-the-middle attackers to obtain the seed phase. The man-in-the-middle access can only be obtained after disassemb…

CVSS: 4.2 CWE: N/A View on NVD
2023-02-13
Medium

CVE-2023-22367

Ichiran App for iOS versions prior to 3.1.0 and Ichiran App for Android versions prior to 3.1.0 improperly verify server certificates, which may allow a remote unauthenticated attacker to eavesdrop o…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2023-02-02
Medium

CVE-2023-23120

The use of the cyclic redundancy check (CRC) algorithm for integrity check during firmware update makes TRENDnet TV-IP651WI Network Camera firmware version v1.07.01 and earlier vulnerable to firmware…

CVSS: 5.9 CWE: CWE-354 - Improper Validation of Integrity Check Value View on NVD
Medium

CVE-2023-23119

The use of the cyclic redundancy check (CRC) algorithm for integrity check during firmware update makes Ubiquiti airFiber AF2X Radio firmware version 3.2.2 and earlier vulnerable to firmware modifica…

CVSS: 5.9 CWE: CWE-354 - Improper Validation of Integrity Check Value View on NVD
High

CVE-2023-23110

An exploitable firmware modification vulnerability was discovered in certain Netgear products. The data integrity of the uploaded firmware image is ensured with a fixed checksum number. Therefore, an…

CVSS: 7.4 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
2023-01-20
Medium

CVE-2023-22742

libgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versio…

CVSS: 5.3 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
Medium

CVE-2023-22334

Use of password hash instead of password for authentication vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated attacker to obtain user credentials informa…

CVSS: 5.3 CWE: CWE-287 - Improper Authentication View on NVD
2023-01-19
Medium

CVE-2023-22745

tpm2-tss is an open source software implementation of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2 Software Stack (TSS2). In versions prior to 4.1.0-rc0, 4.0.1, and 3.2.2-rc1, `T…

CVSS: 6.4 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
Medium

CVE-2022-39167

IBM Spectrum Virtualize 8.5, 8.4, 8.3, 8.2, and 7.8, under certain configurations, could disclose sensitive information to an attacker using man-in-the-middle techniques. IBM X-Force ID: 235408.

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2023-23690

Cloud Mobility for Dell EMC Storage, versions 1.3.0.X and below contains an Improper Check for Certificate Revocation vulnerability. A threat actor does not need any specific privileges to potentiall…

CVSS: 7.0 CWE: CWE-299 - Improper Check for Certificate Revocation View on NVD
2023-01-18
Medium

CVE-2023-22863

IBM Robotic Process Automation 20.12.0 through 21.0.2 defaults to HTTP in some RPA commands when the prefix is not explicitly specified in the URL. This could allow an attacker to obtain sensitive i…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2023-01-11
Medium

CVE-2022-46176

Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could explo…

CVSS: 5.3 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
2022-12-23
High

CVE-2022-47633

An image signature validation bypass vulnerability in Kyverno 1.8.3 and 1.8.4 allows a malicious image registry (or a man-in-the-middle attacker) to inject unsigned arbitrary container images into a…

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD
2022-12-22
Medium

CVE-2022-35646

IBM Security Verify Governance, Identity Manager 10.0.1 software component could allow an authenticated user to modify or cancel any other user's access request using man-in-the-middle techniques. IB…

CVSS: 5.9 CWE: CWE-287 - Improper Authentication View on NVD
2022-12-21
Medium

CVE-2022-42454

Insights for Vulnerability Remediation (IVR) is vulnerable to man-in-the-middle attacks that may lead to information disclosure.  This requires privileged network access.

CVSS: 6.4 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2022-12-20
High

CVE-2022-46432

An exploitable firmware modification vulnerability was discovered on TP-Link TL-WR743ND V1. An attacker can conduct a MITM (Man-in-the-Middle) attack to modify the user-uploaded firmware image and by…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2022-46424

An exploitable firmware modification vulnerability was discovered on the Netgear XWN5001 Powerline 500 WiFi Access Point. An attacker can conduct a MITM (Man-in-the-Middle) attack to modify the user-…

CVSS: 8.1 CWE: N/A View on NVD
High

CVE-2022-46423

An exploitable firmware modification vulnerability was discovered on the Netgear WNR2000v1 router. An attacker can conduct a MITM (Man-in-the-Middle) attack to modify the user-uploaded firmware image…

CVSS: 8.1 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
2022-12-15
Medium

CVE-2022-32531

The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulner…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-12-12
High

CVE-2022-25837

Bluetooth® Pairing in Bluetooth Core Specification v1.0B through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when at least one device s…

CVSS: 7.5 CWE: CWE-294 - Authentication Bypass by Capture-replay View on NVD
High

CVE-2022-25836

Bluetooth® Low Energy Pairing in Bluetooth Core Specification v4.0 through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when the MITM ne…

CVSS: 7.5 CWE: CWE-294 - Authentication Bypass by Capture-replay View on NVD
2022-12-09
High

CVE-2022-3259

Openshift 4.9 does not use HTTP Strict Transport Security (HSTS) which may allow man-in-the-middle (MITM) attacks.

CVSS: 7.4 CWE: CWE-665 - Improper Initialization View on NVD
2022-12-08
High

CVE-2022-45877

OpenHarmony-v3.1.4 and prior versions had an vulnerability. PIN code is transmitted to the peer device in plain text during cross-device authentication, which reduces the difficulty of man-in-the-mid…

CVSS: 8.3 CWE: CWE-287 - Improper Authentication View on NVD
2022-12-05
Medium

CVE-2022-45478

Telepad allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2022-12-02
Medium

CVE-2022-45483

Lazy Mouse allows an attacker (in a man in the middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Medium

CVE-2022-45480

PC Keyboard WiFi & Bluetooth allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2022-11-25
Low

CVE-2022-39334

Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TL…

CVSS: 3.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-11-15
Medium

CVE-2022-42132

The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.0 fix pack 102 and earlier, 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before update 4, and DXP 7…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2022-11-04
High

CVE-2022-33684

The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration.…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-11-03
Medium

CVE-2022-38712

"IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Web services could allow a man-in-the-middle attacker to conduct SOAPAction spoofing to execute unwanted or unauthorized operations. IBM X-For…

CVSS: 5.9 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
2022-11-02
Low

CVE-2022-30307

A key management error vulnerability [CWE-320] affecting the RSA SSH host key in FortiOS 7.2.0 and below, 7.0.6 and below, 6.4.9 and below may allow an unauthenticated attacker to perform a man in th…

CVSS: 3.9 CWE: N/A View on NVD
2022-10-25
High

CVE-2022-29475

An information disclosure vulnerability exists in the XFINDER functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted man-in-the-middle attack can lead to…

CVSS: 8.1 CWE: CWE-294 - Authentication Bypass by Capture-replay View on NVD
2022-10-24
Medium

CVE-2021-4228

Use of hard-coded TLS certificate by default allows an attacker to perform Man-in-the-Middle (MitM) attacks even in the presence of the HTTPS connection. This issue affects: Lanner Inc IAC-AST2500A s…

CVSS: 5.8 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
2022-10-18
Medium

CVE-2022-41540

The web app client of TP-Link AX10v1 V1_211117 uses hard-coded cryptographic keys when communicating with the router. Attackers who are able to intercept the communications between the web client and…

CVSS: 5.9 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
Medium

CVE-2022-22219

Due to the Improper Handling of an Unexpected Data Type in the processing of EVPN routes on Juniper Networks Junos OS and Junos OS Evolved, an attacker in direct control of a BGP client connected to…

CVSS: 5.9 CWE: CWE-241 - Improper Handling of Unexpected Data Type View on NVD
2022-10-06
Medium

CVE-2022-36774

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 is vulnerable to man in the middle attacks through manipulation of the client proxy configuration. IBM X-Force ID: 233575.

CVSS: 5.3 CWE: N/A View on NVD
2022-09-30
Medium

CVE-2022-32540

Information Disclosure in Operator Client application in BVMS 10.1.1, 11.0 and 11.1.0 and VIDEOJET Decoder VJD-7513 versions 10.23 and 10.30 allows man-in-the-middle attacker to compromise confidenti…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2022-09-28
High

CVE-2022-39264

nheko is a desktop client for the Matrix communication application. All versions below 0.10.2 are vulnerable homeservers inserting malicious secrets, which could lead to man-in-the-middle attacks. Us…

CVSS: 8.6 CWE: CWE-287 - Improper Authentication View on NVD
Low

CVE-2022-34394

Dell OS10, version 10.5.3.4, contains an Improper Certificate Validation vulnerability in Support Assist. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to un…

CVSS: 3.7 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-09-23
Medium

CVE-2021-45035

Velneo vClient on its 28.1.3 version, does not correctly check the certificate of authenticity by default. This could allow an attacker that has access to the network to perform a MITM attack in orde…

CVSS: 6.3 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2022-33683

Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Adm…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2022-33682

TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client le…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2022-33681

Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broke…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-09-21
High

CVE-2022-41244

Jenkins View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to in…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2022-41243

Jenkins SmallTest Plugin 1.0.4 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept thes…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-09-20
Medium

CVE-2022-38956

An exploitable firmware downgrade vulnerability was discovered on the Netgear WPN824EXT WiFi Range Extender. An attacker can conduct a MITM attack to replace the user-uploaded firmware image with an…

CVSS: 5.3 CWE: CWE-354 - Improper Validation of Integrity Check Value View on NVD
High

CVE-2022-38955

An exploitable firmware modification vulnerability was discovered on the Netgear WPN824EXT WiFi Range Extender. An attacker can conduct a MITM attack to modify the user-uploaded firmware image and by…

CVSS: 7.5 CWE: CWE-354 - Improper Validation of Integrity Check Value View on NVD
2022-09-16
Medium

CVE-2022-37709

Tesla Model 3 V11.0(2022.4.5.1 6b701552d7a6) Tesla mobile app v4.23 is vulnerable to Authentication Bypass by spoofing. Tesla Model 3's Phone Key authentication is vulnerable to Man-in-the-middle att…

CVSS: 5.3 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Medium

CVE-2022-38846

EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). An attacker may capture the cookie from the insecure channe…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2022-09-12
High

CVE-2022-36173

FreshService macOS Agent < 4.4.0 and FreshServce Linux Agent < 3.4.0 are vulnerable to TLS Man-in-The-Middle via the FreshAgent client and scheduled update service.

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-09-09
Medium

CVE-2022-26394

The Baxter Spectrum WBM does not perform mutual authentication with the gateway server host. This may allow an attacker to perform a man in the middle attack that modifies parameters making the netwo…

CVSS: 5.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2022-09-02
High

CVE-2022-36076

NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Due to an unnecessarily strict conditional in the code handling the first step of the SSO pro…

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2021-44718

wolfSSL through 5.0.0 allows an attacker to cause a denial of service and infinite loop in the client component by sending crafted traffic from a Machine-in-the-Middle (MITM) position. The root cause…

CVSS: 5.9 CWE: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop') View on NVD
2022-09-01
High

CVE-2022-2996

A flaw was found in the python-scciclient when making an HTTPS connection to a server where the server's certificate would not be verified. This issue opens up the connection to possible Man-in-the-m…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-08-31
Medium

CVE-2022-38153

An issue was discovered in wolfSSL before 5.5.0 (when --enable-session-ticket is used); however, only version 5.3.0 is exploitable. Man-in-the-middle attackers or a malicious server can crash TLS 1.2…

CVSS: 5.9 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2022-08-25
Medium

CVE-2021-43767

Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using 'trust' authentication with a 'clientcert' requirement or to us…

CVSS: 5.9 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
High

CVE-2021-43766

Odyssey passes to server unencrypted bytes from man-in-the-middle When Odyssey is configured to use certificate Common Name for client authentication, a man-in-the-middle attacker can inject arbitrar…

CVSS: 8.1 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2022-08-19
Medium

CVE-2022-34624

Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request.

CVSS: 5.9 CWE: CWE-613 - Insufficient Session Expiration View on NVD
2022-08-16
Medium

CVE-2022-34156

'Hulu / フールー' App for iOS versions prior to 3.0.81 improperly verifies server certificates, which may allow an attacker to eavesdrop on an encrypted communication via a man-in-the-middle attack.

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-08-15
Medium

CVE-2022-33989

dproxy-nexgen (aka dproxy nexgen) uses a static UDP source port (selected randomly only at boot time) in upstream queries sent to DNS resolvers. This allows DNS cache poisoning because there is not e…

CVSS: 5.3 CWE: CWE-331 - Insufficient Entropy View on NVD
High

CVE-2022-33988

dproxy-nexgen (aka dproxy nexgen) re-uses the DNS transaction id (TXID) value from client queries, which allows attackers (able to send queries to the resolver) to conduct DNS cache-poisoning attacks…

CVSS: 7.5 CWE: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') View on NVD
Critical

CVE-2022-34294

totd 1.5.3 uses a fixed UDP source port in upstream queries sent to DNS resolvers. This allows DNS cache poisoning because there is not enough entropy to prevent traffic injection attacks.

CVSS: 9.8 CWE: CWE-331 - Insufficient Entropy View on NVD
2022-08-03
High

CVE-2022-32293

In ConnMan through 1.41, a man-in-the-middle attack against a WISPR HTTP query could be used to trigger a use-after-free in WISPR handling, leading to crashes or code execution.

CVSS: 8.1 CWE: CWE-416 - Use After Free View on NVD
Medium

CVE-2022-27619

Cleartext transmission of sensitive information vulnerability in authentication management in Synology Note Station Client before 2.2.2-609 allows man-in-the-middle attackers to obtain sensitive info…

CVSS: 6.8 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2022-08-02
High

CVE-2022-29154

An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are…

CVSS: 7.4 CWE: CWE-20 - Improper Input Validation View on NVD
2022-07-28
High

CVE-2022-1805

When connecting to Amazon Workspaces, the SHA256 presented by AWS connection provisioner is not fully verified by Zero Clients. The issue could be exploited by an adversary that places a MITM (Man in…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-07-27
High

CVE-2022-36881

Jenkins Git client Plugin 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH, enabling man-in-the-middle attacks.

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-07-21
Medium

CVE-2022-28861

The server in Citilog 8.0 allows an attacker (in a man in the middle position between the server and its smart camera Axis M1125) to see FTP credentials in a cleartext HTTP traffic. These can be used…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Medium

CVE-2022-28860

An authentication downgrade in the server in Citilog 8.0 allows an attacker (in a man in the middle position between the server and its smart camera Axis M1125) to achieve HTTP access to the camera.

CVSS: 5.9 CWE: N/A View on NVD
High

CVE-2022-20860

A vulnerability in the SSL/TLS implementation of Cisco Nexus Dashboard could allow an unauthenticated, remote attacker to alter communications with associated controllers or view sensitive informatio…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-07-18
Medium

CVE-2021-22131

A improper validation of certificate with host mismatch in Fortinet FortiTokenAndroid version 5.0.3 and below, Fortinet FortiTokeniOS version 5.2.0 and below, Fortinet FortiTokenWinApp version 4.0.3…

CVSS: 6.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-07-14
Medium

CVE-2022-32210

`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and i…

CVSS: 6.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-07-07
Medium

CVE-2022-32208

When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it…

CVSS: 5.9 CWE: CWE-840 View on NVD
2022-06-30
High

CVE-2022-23718

PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution. An attacker capable of achieving a sophisticated man-in-the-middle position, or to compromis…

CVSS: 7.6 CWE: CWE-1352 View on NVD