CVE Daily
← All tags

Tag: Mitm

All CVEs associated with "Mitm". Page 6/32 • 3809 CVEs.

Subscribe CVEs: RSS for “Mitm”  ·  RSS (High+Critical only)

About “Mitm”

A curated feed of “Mitm”-related CVEs appears below. We currently track 3809 CVEs for this tag (all time). In the last 365 days, 218 were published. Average CVSS is 6.1 (all time; 6.6 over 365d), and 25% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-295 - Improper Certificate Validation, CWE-319 - Cleartext Transmission of Sensitive Information, CWE-297 - Improper Validation of Certificate with Host Mismatch.

In our taxonomy this topic maps to a MODERATE impact class. Common exploitation patterns for this weakness can lead to moderate. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2022-06-28
High

CVE-2022-30563

When an attacker uses a man-in-the-middle attack to sniff the request packets with success logging in through ONVIF, he can log in to the device by replaying the user's login packet.

CVSS: 7.4 CWE: N/A View on NVD
Medium

CVE-2022-30562

If the user enables the https function on the device, an attacker can modify the user’s request data packet through a man-in-the-middle attack ,Injection of a malicious URL in the Host: header of the…

CVSS: 4.7 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
Medium

CVE-2022-30561

When an attacker uses a man-in-the-middle attack to sniff the request packets with success logging in, the attacker could log in to the device by replaying the user's login packet.

CVSS: 5.9 CWE: N/A View on NVD
High

CVE-2022-30560

When an attacker obtaining the administrative account and password, or through a man-in-the-middle attack, the attacker could send a specified crafted packet to the vulnerable interface then lead the…

CVSS: 7.4 CWE: N/A View on NVD
2022-06-24
High

CVE-2022-1524

LRM version 2.4 and lower does not implement TLS encryption. A malicious actor can MITM attack sensitive data in-transit, including credentials.

CVSS: 7.4 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2022-06-20
Medium

CVE-2022-32983

Knot Resolver through 5.5.1 may allow DNS cache poisoning when there is an attempt to limit forwarding actions by filters.

CVSS: 5.3 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
2022-06-17
Medium

CVE-2022-21184

An information disclosure vulnerability exists in the License registration functionality of Bachmann Visutec GmbH Atvise 3.5.4, 3.6 and 3.7. A plaintext HTTP request can lead to a disclosure of login…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2022-06-14
Low

CVE-2022-29482

'Mobaoku-Auction&Flea Market' App for iOS versions prior to 5.5.16 improperly verifies server certificates, which may allow an attacker to eavesdrop on an encrypted communication via a man-in-the-mid…

CVSS: 3.7 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-06-02
Medium

CVE-2022-29733

Delta Controls enteliTOUCH 3.40.3935, 3.40.3706, and 3.33.4005 was discovered to transmit and store sensitive information in cleartext. This vulnerability allows attackers to intercept HTTP Cookie au…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2022-05-24
Medium

CVE-2022-22306

An improper certificate validation vulnerability [CWE-295] in FortiOS 6.0.0 through 6.0.14, 6.2.0 through 6.2.10, 6.4.0 through 6.4.8, 7.0.0 may allow a network adjacent and unauthenticated attacker…

CVSS: 5.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-05-20
Medium

CVE-2022-22365

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, with the Ajax Proxy Web Application (AjaxProxy.war) deployed, is vulnerable to spoofing by allowing a man-in-the-middle attacker to spoof SSL…

CVSS: 5.9 CWE: N/A View on NVD
2022-05-19
Medium

CVE-2020-4970

IBM Security Identity Governance and Intelligence 5.2.4, 5.2.5, and 5.2.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2022-05-12
Medium

CVE-2021-27768

Using the ability to perform a Man-in-the-Middle (MITM) attack, which indicates a lack of hostname verification, sensitive account information was able to be intercepted. In this specific scenario, t…

CVSS: 6.3 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
2022-05-06
Medium

CVE-2022-30295

uClibc-ng through 1.0.40 and uClibc through 0.9.33.2 use predictable DNS transaction IDs that may lead to DNS cache poisoning. This is related to a reset of a value to 0x2.

CVSS: 6.5 CWE: CWE-330 - Use of Insufficiently Random Values View on NVD
2022-05-04
Medium

CVE-2021-32010

Inadequate Encryption Strength vulnerability in TLS stack of Secomea SiteManager, LinkManager, GateManager may facilitate man in the middle attacks. This issue affects: Secomea SiteManager All versio…

CVSS: 5.6 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
2022-05-03
Medium

CVE-2022-1434

The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performin…

CVSS: 5.9 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
High

CVE-2022-20742

A vulnerability in an IPsec VPN library of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to read o…

CVSS: 7.4 CWE: CWE-325 - Missing Cryptographic Step View on NVD
2022-04-21
High

CVE-2022-20773

A vulnerability in the key-based SSH authentication mechanism of Cisco Umbrella Virtual Appliance (VA) could allow an unauthenticated, remote attacker to impersonate a VA. This vulnerability is due t…

CVSS: 7.5 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
2022-04-19
Medium

CVE-2021-39072

IBM Security Guardium 11.3 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulne…

CVSS: 5.9 CWE: N/A View on NVD
2022-04-15
High

CVE-2022-27048

A vulnerability has been discovered in Moxa MGate which allows an attacker to perform a man-in-the-middle (MITM) attack on the device. This affects MGate MB3170 Series Firmware Version 4.2 or lower.…

CVSS: 7.4 CWE: N/A View on NVD
Medium

CVE-2022-20694

A vulnerability in the implementation of the Resource Public Key Infrastructure (RPKI) feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the Border Gateway Pro…

CVSS: 6.8 CWE: CWE-617 - Reachable Assertion View on NVD
2022-04-14
Medium

CVE-2021-21967

An out-of-bounds write vulnerability exists in the OTA update task functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A specially-crafted MQTT payload can lead to denial of service. An…

CVSS: 5.9 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
2022-04-13
Medium

CVE-2022-0023

An improper handling of exceptional conditions vulnerability exists in the DNS proxy feature of Palo Alto Networks PAN-OS software that enables a meddler-in-the-middle (MITM) to send specifically cra…

CVSS: 5.9 CWE: CWE-755 - Improper Handling of Exceptional Conditions View on NVD
2022-04-12
High

CVE-2022-22549

Dell PowerScale OneFS, 8.2.x-9.3.x, contains a Improper Certificate Validation. A unauthenticated remote attacker could potentially exploit this vulnerability, leading to a man-in-the-middle capture…

CVSS: 7.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-04-11
Medium

CVE-2022-20081

In A-GPS, there is a possible man in the middle attack due to improper certificate validation. This could lead to remote information disclosure with no additional execution privileges needed. User in…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-04-02
Medium

CVE-2022-28352

WeeChat (aka Wee Enhanced Environment for Chat) 3.2 to 3.4 before 3.4.1 does not properly verify the TLS certificate of the server, after certain GnuTLS options are changed, which allows man-in-the-m…

CVSS: 4.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-03-31
Medium

CVE-2022-22311

IBM Security Verify Access could allow a user, using man in the middle techniques, to obtain sensitive information or possibly change some information due to improper validiation of JWT tokens.

CVSS: 6.5 CWE: CWE-20 - Improper Input Validation View on NVD
2022-03-29
Low

CVE-2022-22935

An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. A minion authentication denial of service can cause a MiTM attacker to force a minion process to stop by impersona…

CVSS: 3.7 CWE: CWE-287 - Improper Authentication View on NVD
2022-03-28
Medium

CVE-2021-43105

A vulnerability in the bailiwick checking function in Technitium DNS Server <= v7.0 exists that allows specific malicious users to inject `NS` records of any domain (even TLDs) into the cache and con…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2022-0123

An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab does not validate SSL certificates for some of external CI ser…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-03-25
Medium

CVE-2021-40906

CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service parameter that is in an unauthenticated zone. This Reflected XSS allows an attacker to open a backd…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2022-0759

A flaw was found in all versions of kubeclient up to (but not including) v4.9.3, the Ruby client for Kubernetes REST API, in the way it parsed kubeconfig files. When the kubeconfig file does not conf…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-03-23
High

CVE-2021-3618

ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certifica…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2021-44759

Improper Authentication vulnerability in TLS origin validation of Apache Traffic Server allows an attacker to create a man in the middle attack. This issue affects Apache Traffic Server 8.0.0 to 8.1.…

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD
2022-03-17
High

CVE-2022-24759

`@chainsafe/libp2p-noise` contains TypeScript implementation of noise protocol, an encryption protocol used in libp2p. `@chainsafe/libp2p-noise` before 4.1.2 and 5.0.3 does not correctly validate sig…

CVSS: 8.1 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
2022-03-10
Low

CVE-2022-21170

Improper check for certificate revocation in i-FILTER Ver.10.45R01 and earlier, i-FILTER Ver.9.50R10 and earlier, i-FILTER Browser & Cloud MultiAgent for Windows Ver.4.93R04 and earlier, and D-SPA (V…

CVSS: 3.7 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2021-40055

There is a man-in-the-middle attack vulnerability during system update download in recovery mode. Successful exploitation of this vulnerability may affect integrity.

CVSS: 5.9 CWE: N/A View on NVD
2022-03-08
Medium

CVE-2021-42017

A vulnerability has been identified in RUGGEDCOM i800, RUGGEDCOM i801, RUGGEDCOM i802, RUGGEDCOM i803, RUGGEDCOM M2100, RUGGEDCOM M2100F, RUGGEDCOM M2200, RUGGEDCOM M2200F, RUGGEDCOM M969, RUGGEDCOM…

CVSS: 5.9 CWE: CWE-358 - Improperly Implemented Security Check for Standard View on NVD
Medium

CVE-2021-37209

A vulnerability has been identified in RUGGEDCOM i800 (All versions < V4.3.8), RUGGEDCOM i801 (All versions < V4.3.8), RUGGEDCOM i802 (All versions < V4.3.8), RUGGEDCOM i803 (All versions < V4.3.8),…

CVSS: 6.7 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
2022-03-04
High

CVE-2021-40846

An issue was discovered in Rhinode Trading Paints through 2.0.36. TP Updater.exe uses cleartext HTTP to check, and request, updates. Thus, attackers can man-in-the-middle a victim to download a malic…

CVSS: 7.5 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
High

CVE-2021-23214

When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection…

CVSS: 8.1 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2022-03-02
Low

CVE-2021-3716

A flaw was found in nbdkit due to to improperly caching plaintext state across the STARTTLS encryption boundary. A MitM attacker could use this flaw to inject a plaintext NBD_OPT_STRUCTURED_REPLY bef…

CVSS: 3.1 CWE: CWE-924 - Improper Enforcement of Message Integrity During Transmission in a Communication Channel View on NVD
Medium

CVE-2021-23222

A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption.

CVSS: 5.9 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2022-02-18
Medium

CVE-2021-39026

IBM Guardium Data Encryption (GDE) 5.0.0.2 and 5.0.0.3 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attac…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2022-02-10
Medium

CVE-2022-0018

An information exposure vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows and MacOS where the credentials of the local user account are sent to the GlobalProtect portal when…

CVSS: 6.1 CWE: CWE-201 - Insertion of Sensitive Information Into Sent Data View on NVD
2022-02-09
Medium

CVE-2022-24320

A CWE-295: Improper Certificate Validation vulnerability exists that could allow a Man-in-theMiddle attack when communications between the client and Geo SCADA database server are intercepted. Affect…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2022-24319

A CWE-295: Improper Certificate Validation vulnerability exists that could allow a Man-in-theMiddle attack when communications between the client and Geo SCADA web server are intercepted. Affected Pr…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-02-04
Medium

CVE-2021-21971

An out-of-bounds write vulnerability exists in the URL_decode functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A specially-crafted MQTT payload can lead to an out-of-bounds write. An…

CVSS: 5.9 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2021-21968

A file write vulnerability exists in the OTA update task functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A specially-crafted MQTT payload can lead to arbitrary file overwrite. An att…

CVSS: 8.3 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2021-21963

An information disclosure vulnerability exists in the Web Server functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A specially-crafted man-in-the-middle attack can lead to a disclosure…

CVSS: 5.9 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
High

CVE-2021-21962

A heap-based buffer overflow vulnerability exists in the OTA Update u-download functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A series of specially-crafted MQTT payloads can lead to…

CVSS: 8.1 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
High

CVE-2021-21959

A misconfiguration exists in the MQTTS functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. This misconfiguration significantly simplifies a man-in-the-middle attack, which directly leads…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2022-01-28
Medium

CVE-2022-21199

An information disclosure vulnerability exists due to the hardcoded TLS key of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive…

CVSS: 5.9 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
2022-01-26
Medium

CVE-2021-29838

IBM Security Guardium Insights 3.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit th…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2022-01-20
Medium

CVE-2021-29785

IBM Security SOAR V42 and V43could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vul…

CVSS: 5.9 CWE: N/A View on NVD
2022-01-04
Medium

CVE-2021-39143

Spinnaker is an open source, multi-cloud continuous delivery platform. A path traversal vulnerability was discovered in uses of TAR files by AppEngine for deployments. This uses a utility to extract…

CVSS: 6.6 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2021-12-23
High

CVE-2021-44273

e2guardian v5.4.x <= v5.4.3r is affected by missing SSL certificate validation in the SSL MITM engine. In standalone mode (i.e., acting as a proxy or a transparent proxy), with SSL MITM enabled, e2gu…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-12-22
High

CVE-2021-21953

An authentication bypass vulnerability exists in the process_msg() function of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h. A specially-crafted man-in-the-middle attack can lead to inc…

CVSS: 8.1 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
2021-12-21
Medium

CVE-2021-36337

Dell Wyse Management Suite version 3.3.1 and prior support insecure Transport Security Protocols TLS 1.0 and TLS 1.1 which are susceptible to Man-In-The-Middle attacks thereby compromising Confidenti…

CVSS: 6.5 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
2021-12-16
High

CVE-2021-41028

A combination of a use of hard-coded cryptographic key vulnerability [CWE-321] in FortiClientEMS 7.0.1 and below, 6.4.6 and below and an improper certificate validation vulnerability [CWE-297] in For…

CVSS: 8.2 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-12-15
Medium

CVE-2021-29847

BMC firmware (IBM Power System S821LC Server (8001-12C) OP825.50) configuration changed to allow an authenticated user to open an insecure communication channel which could allow an attacker to obtai…

CVSS: 5.9 CWE: N/A View on NVD
2021-12-14
High

CVE-2021-44549

Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of "man in the middle" attacks additional server ident…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2021-41067

An issue was discovered in Listary through 6. Improper implementation of the update process leads to the download of software updates with a /check-update HTTP-based connection. This can be exploited…

CVSS: 7.5 CWE: CWE-354 - Improper Validation of Integrity Check Value View on NVD
2021-12-13
Medium

CVE-2020-4496

The IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x server connection to an IBM Spectrum Protect Plus workload agent is subject to a man-in-the-middle attack due to improper certificate validatio…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-12-10
Medium

CVE-2021-31747

Missing SSL Certificate Validation issue exists in Pluck 4.7.15 in update_applet.php, which could lead to man-in-the-middle attacks.

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-12-02
Medium

CVE-2020-27414

Mahavitaran android application 7.50 and prior transmit sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server log…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2021-12-01
Medium

CVE-2021-29779

IBM QRadar SIEM 7.3 and 7.4 could allow an attacker to obtain sensitive information due to the server performing key exchange without entity authentication on inter-host communications using man in t…

CVSS: 5.9 CWE: N/A View on NVD
High

CVE-2021-34599

Affected versions of CODESYS Git in Versions prior to V1.1.0.0 lack certificate validation in HTTPS handshakes. CODESYS Git does not implement certificate validation by default, so it does not verify…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-11-30
Medium

CVE-2021-36326

Dell EMC Streaming Data Platform, versions prior to 1.3 contain an SSL Strip Vulnerability in the User Interface (UI). A remote unauthenticated attacker could potentially exploit this vulnerability,…

CVSS: 6.5 CWE: CWE-757 - Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') View on NVD
2021-11-22
High

CVE-2021-3935

When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate ver…

CVSS: 8.1 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2021-11-18
High

CVE-2021-23167

Improper certificate validation vulnerability in SMTP Client allows man-in-the-middle attack to retrieve sensitive information from the Command Centre Server. This issue affects: Gallagher Command Ce…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2021-23162

Improper validation of the cloud certificate chain in Mobile Connect allows man-in-the-middle attack to impersonate the legitimate Command Centre Server. This issue affects: Gallagher Command Centre…

CVSS: 7.7 CWE: CWE-296 - Improper Following of a Certificate's Chain of Trust View on NVD
Critical

CVE-2021-23155

Improper validation of the cloud certificate chain in Mobile Client allows man-in-the-middle attack to impersonate the legitimate Command Centre Server. This issue affects: Gallagher Command Centre M…

CVSS: 9.0 CWE: CWE-296 - Improper Following of a Certificate's Chain of Trust View on NVD
2021-11-15
Medium

CVE-2021-38978

IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An at…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2021-11-10
High

CVE-2021-3059

An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables a man-in-the-middle attacker to execute…

CVSS: 8.1 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2021-11-09
High

CVE-2021-40366

A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.42), Climatix POL909 (AWM module) (All versions < V11.34). The web server of affected devices transmits data wi…

CVSS: 7.4 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2021-11-08
Medium

CVE-2020-4160

IBM QRadar Network Security 5.4.0 and 5.5.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could e…

CVSS: 5.9 CWE: N/A View on NVD
Medium

CVE-2020-4152

IBM QRadar Network Security 5.4.0 and 5.5.0 transmits sensitive or security-critical data in cleartext in a communication channel that can be obtained using man in the middle techniques. IBM X-Force…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2021-11-07
High

CVE-2021-43414

An issue was discovered in GNU Hurd before 0.9 20210404-9. The use of an authentication protocol in the proc server is vulnerable to man-in-the-middle attacks, which can be exploited for local privil…

CVSS: 7.0 CWE: CWE-287 - Improper Authentication View on NVD
2021-11-05
Medium

CVE-2021-42701

An attacker could prepare a specially crafted project file that, if opened, would attempt to connect to the cloud and trigger a man in the middle (MiTM) attack. This could allow an attacker to obtain…

CVSS: 5.0 CWE: CWE-471 - Modification of Assumed-Immutable Data (MAID) View on NVD
2021-11-04
High

CVE-2021-34739

A vulnerability in the web-based management interface of multiple Cisco Small Business Series Switches could allow an unauthenticated, remote attacker to replay valid user session credentials and gai…

CVSS: 8.1 CWE: CWE-613 - Insufficient Session Expiration View on NVD
2021-11-03
High

CVE-2021-38161

Improper Authentication vulnerability in TLS origin verification of Apache Traffic Server allows for man in the middle attacks. This issue affects Apache Traffic Server 8.0.0 to 8.0.8.

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2021-38502

Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the auth…

CVSS: 5.9 CWE: N/A View on NVD
2021-10-22
Medium

CVE-2020-23036

MEDIA NAVI Inc SMACom v1.2 was discovered to contain an insecure session validation vulnerability in the session handling of the `password` authentication parameter of the wifi photo transfer module.…

CVSS: 5.9 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2021-10-21
Medium

CVE-2021-35228

This vulnerability occurred due to missing input sanitization for one of the output fields that is extracted from headers on specific section of page causing a reflective cross site scripting attack.…

CVSS: 5.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-10-19
High

CVE-2021-0296

The Juniper Networks CTPView server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional response header which allows servers to indicate that content from the requested domain…

CVSS: 7.4 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2021-10-13
High

CVE-2021-3057

A stack-based buffer overflow vulnerability exists in the Palo Alto Networks GlobalProtect app that enables a man-in-the-middle attacker to disrupt system processes and potentially execute arbitrary…

CVSS: 8.1 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
High

CVE-2021-20833

The SNKRDUNK Market Place App for iOS versions prior to 2.2.0 does not verify server certificate properly, which allows man-in-the-middle attackers to eavesdrop on and/or alter encrypted communicatio…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-10-08
High

CVE-2021-35979

An issue was discovered in Digi RealPort through 4.8.488.0. The 'encrypted' mode is vulnerable to man-in-the-middle attacks and does not perform authentication.

CVSS: 8.1 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2021-10-06
High

CVE-2021-1594

A vulnerability in the REST API of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to perform a command injection attack and elevate privileges to root. This vuln…

CVSS: 7.5 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
2021-10-05
High

CVE-2021-35497

The FTL Server (tibftlserver) and Docker images containing tibftlserver components of TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition, TIBCO ActiveSpaces - Developer Edition, TIBCO Activ…

CVSS: 7.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-09-29
High

CVE-2021-41034

The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks th…

CVSS: 8.1 CWE: CWE-924 - Improper Enforcement of Message Integrity During Transmission in a Communication Channel View on NVD
Medium

CVE-2021-22947

When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that c…

CVSS: 5.9 CWE: CWE-310 View on NVD
2021-09-27
Medium

CVE-2021-40713

Adobe Experience Manager version 6.5.9.0 (and earlier) is affected by a improper certificate validation vulnerability in the cold storage component. If an attacker can achieve a man in the middle whe…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-09-21
High

CVE-2021-40847

The update process of the Circle Parental Control Service on various NETGEAR routers allows remote attackers to achieve remote code execution as root via a MitM attack. While the parental controls th…

CVSS: 8.1 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2021-09-20
Medium

CVE-2020-16630

TI’s BLE stack caches and reuses the LTK’s property for a bonded mobile. A LTK can be an unauthenticated-and-no-MITM-protection key created by Just Works or an authenticated-and-MITM-protection key c…

CVSS: 6.8 CWE: CWE-863 - Incorrect Authorization View on NVD
2021-09-18
Medium

CVE-2021-3806

A path traversal vulnerability on Pardus Software Center's "extractArchive" function could allow anyone on the same network to do a man-in-the-middle and write files on the system.

CVSS: 5.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2021-09-15
High

CVE-2021-27662

The KT-1 door controller is susceptible to replay or man-in-the-middle attacks where an attacker can record and replay TCP packets. This issue affects Johnson Controls KT-1 all versions up to and inc…

CVSS: 8.6 CWE: CWE-294 - Authentication Bypass by Capture-replay View on NVD
2021-09-13
High

CVE-2021-41033

In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be…

CVSS: 8.1 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
2021-09-09
Medium

CVE-2021-25466

Improper scheme check vulnerability in Samsung Internet prior to version 15.0.2.47 allows attackers to perform Man-in-the-middle attack and obtain Samsung Account token.

CVSS: 6.5 CWE: CWE-287 - Improper Authentication View on NVD
Low

CVE-2021-25465

An improper scheme check vulnerability in Samsung Themes prior to version 5.2.01 allows attackers to perform Man-in-the-middle attack.

CVSS: 3.3 CWE: CWE-20 - Improper Input Validation View on NVD
2021-08-22
Medium

CVE-2021-39365

In GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS certificate verification on the SoupSessionAsync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is sim…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2021-39361

In GNOME evolution-rss through 0.3.96, network-soup.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: t…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2021-39360

In GNOME libzapojit through 0.0.3, zpj-skydrive.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2021-39359

In GNOME libgda through 6.0.0, gda-web-provider.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2021-39358

In GNOME libgfbgraph through 0.2.4, gfbgraph-photo.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: th…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-08-19
Medium

CVE-2021-29280

In TP-Link Wireless N Router WR840N an ARP poisoning attack can cause buffer overflow

CVSS: 6.4 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
2021-08-18
High

CVE-2020-25926

The DNS client in InterNiche NicheStack TCP/IP 4.0.1 is affected by: Insufficient entropy in the DNS transaction id. The impact is: DNS cache poisoning (remote). The component is: dns_query_type(). T…

CVSS: 7.5 CWE: CWE-331 - Insufficient Entropy View on NVD
2021-08-17
Medium

CVE-2020-15955

In s/qmail through 4.0.07, an active MitM can inject arbitrary plaintext commands into a STARTTLS encrypted session between an SMTP client and s/qmail. This allows e-mail messages and user credential…

CVSS: 5.9 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2021-08-16
Medium

CVE-2021-32826

Proxyee-Down is open source proxy software. An attacker being able to provide an extension script (eg: through a MiTM attack or by hosting a malicious extension) may be able to run arbitrary commands…

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2021-38751

A HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can change links on the webpage to an arbitrary value, leading to a possible attack ve…

CVSS: 4.3 CWE: CWE-116 - Improper Encoding or Escaping of Output View on NVD
2021-08-14
Low

CVE-2020-36473

UCWeb UC 12.12.3.1219 through 12.12.3.1226 uses cleartext HTTP, and thus man-in-the-middle attackers can discover visited URLs.

CVSS: 3.7 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
2021-08-13
Medium

CVE-2021-32069

The AWV component of Mitel MiCollab before 9.3 could allow an attacker to perform a Man-In-the-Middle attack due to improper TLS negotiation. A successful exploit could allow an attacker to view and…

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
Low

CVE-2021-32068

The AWV and MiCollab Client Service components in Mitel MiCollab before 9.3 could allow an attacker to perform a Man-In-the-Middle attack by sending multiple session renegotiation requests, due to in…

CVSS: 3.7 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
Medium

CVE-2021-31399

On 2N Access Unit 2.0 2.31.0.40.5 devices, an attacker can pose as the web relay for a man-in-the-middle attack.

CVSS: 4.6 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-08-10
Low

CVE-2021-38372

In KDE Trojita 0.7, man-in-the-middle attackers can create new folders because untagged responses from an IMAP server are accepted before STARTTLS.

CVSS: 3.7 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2021-08-09
High

CVE-2021-38290

A host header attack vulnerability exists in FUEL CMS 1.5.0 through fuel/modules/fuel/config/fuel_constants.php and fuel/modules/fuel/libraries/Asset.php. An attacker can use a man in the middle atta…

CVSS: 8.1 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2021-08-04
High

CVE-2021-33338

The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to…

CVSS: 7.5 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2021-08-02
Medium

CVE-2021-27503

Ypsomed mylife Cloud, mylife Mobile Application, Ypsomed mylife Cloud: All versions prior to 1.7.2, Ypsomed mylife App: All versions prior to 1.7.5,The application encrypts on the application layer o…

CVSS: 4.8 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
Medium

CVE-2021-27499

Ypsomed mylife Cloud, mylife Mobile Application, Ypsomed mylife Cloud: All versions prior to 1.7.2, Ypsomed mylife App: All versions prior to 1.7.5,The application layer encryption of the communicati…

CVSS: 5.9 CWE: CWE-329 - Generation of Predictable IV with CBC Mode View on NVD