CVE Daily
← All tags

Tag: Mitm

All CVEs associated with "Mitm". Page 7/32 • 3809 CVEs.

Subscribe CVEs: RSS for “Mitm”  ·  RSS (High+Critical only)

About “Mitm”

A curated feed of “Mitm”-related CVEs appears below. We currently track 3809 CVEs for this tag (all time). In the last 365 days, 218 were published. Average CVSS is 6.1 (all time; 6.6 over 365d), and 25% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-295 - Improper Certificate Validation, CWE-319 - Cleartext Transmission of Sensitive Information, CWE-297 - Improper Validation of Certificate with Host Mismatch.

In our taxonomy this topic maps to a MODERATE impact class. Common exploitation patterns for this weakness can lead to moderate. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2021-08-01
High

CVE-2021-32066

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man…

CVSS: 7.4 CWE: CWE-755 - Improper Handling of Exceptional Conditions View on NVD
2021-07-30
Medium

CVE-2021-29298

Improper Input Validation in Emerson GE Automation Proficy Machine Edition v8.0 allows an attacker to cause a denial of service and application crash via crafted traffic from a Man-in-the-Middle (MIT…

CVSS: 5.3 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2021-29297

Buffer Overflow in Emerson GE Automation Proficy Machine Edition v8.0 allows an attacker to cause a denial of service and application crash via crafted traffic from a Man-in-the-Middle (MITM) attack…

CVSS: 5.3 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
2021-07-16
Medium

CVE-2021-32749

fail2ban is a daemon to ban hosts that cause multiple authentication errors. In versions 0.9.7 and prior, 0.10.0 through 0.10.6, and 0.11.0 through 0.11.2, there is a vulnerability that leads to poss…

CVSS: 6.1 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
High

CVE-2021-1422

A vulnerability in the software cryptography module of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker…

CVSS: 7.7 CWE: CWE-617 - Reachable Assertion View on NVD
2021-07-15
Medium

CVE-2021-34687

iDrive RemotePC before 7.6.48 on Windows allows information disclosure. A man in the middle can recover a system's Personal Key when a client attempts to make a LAN connection. The Personal Key is tr…

CVSS: 5.3 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2021-07-13
High

CVE-2021-31892

A vulnerability has been identified in SINUMERIK Analyse MyCondition (All versions), SINUMERIK Analyze MyPerformance (All versions), SINUMERIK Analyze MyPerformance /OEE-Monitor (All versions), SINUM…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-07-12
Low

CVE-2021-36382

Devolutions Server before 2021.1.18, and LTS before 2020.3.20, allows attackers to intercept private keys via a man-in-the-middle attack against the connections/partial endpoint (which accepts cleart…

CVSS: 2.6 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
High

CVE-2021-3547

OpenVPN 3 Core Library version 3.6 and 3.6.1 allows a man-in-the-middle attacker to bypass the certificate authentication by issuing an unrelated server certificate using the same hostname found in t…

CVSS: 7.4 CWE: CWE-305 - Authentication Bypass by Primary Weakness View on NVD
2021-07-08
High

CVE-2021-1585

A vulnerability in the Cisco Adaptive Security Device Manager (ASDM) Launcher could allow an unauthenticated, remote attacker to execute arbitrary code on a user's operating system. This vulnerabilit…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2021-07-05
Medium

CVE-2021-36158

In the xrdp package (in branches through 3.14) for Alpine Linux, RDP sessions are vulnerable to man-in-the-middle attacks because pre-generated RSA certificates and private keys are used.

CVSS: 5.9 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
2021-06-28
Medium

CVE-2021-32496

SICK Visionary-S CX up version 5.21.2.29154R are vulnerable to an Inadequate Encryption Strength vulnerability concerning the internal SSH interface solely used by SICK for recovering returned device…

CVSS: 5.3 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
2021-06-25
Medium

CVE-2021-31615

Unencrypted Bluetooth Low Energy baseband links in Bluetooth Core Specifications 4.0 through 5.2 may permit an adjacent device to inject a crafted packet during the receive window of the listening de…

CVSS: 5.3 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2021-06-22
Critical

CVE-2021-32700

Ballerina is an open source programming language and platform for cloud application programmers. Ballerina versions 1.2.x and SL releases up to alpha 3 have a potential for a supply chain attack via…

CVSS: 9.1 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2021-06-18
High

CVE-2021-23846

When using http protocol, the user password is transmitted as a clear text parameter for which it is possible to be obtained by an attacker through a MITM attack. This will be fixed starting from Fir…

CVSS: 8.8 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2021-06-17
Medium

CVE-2021-32575

HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.

CVSS: 6.5 CWE: N/A View on NVD
2021-06-16
High

CVE-2021-1566

A vulnerability in the Cisco Advanced Malware Protection (AMP) for Endpoints integration of Cisco AsyncOS for Cisco Email Security Appliance (ESA) and Cisco Web Security Appliance (WSA) could allow a…

CVSS: 7.4 CWE: CWE-296 - Improper Following of a Certificate's Chain of Trust View on NVD
2021-06-12
Low

CVE-2021-34682

Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.

CVSS: 3.7 CWE: N/A View on NVD
2021-06-09
High

CVE-2020-15387

The host SSH servers of Brocade Fabric OS before Brocade Fabric OS v7.4.2h, v8.2.1c, v8.2.2, v9.0.0, and Brocade SANnav before v2.1.1 utilize keys of less than 2048 bits, which may be vulnerable to m…

CVSS: 7.4 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
Medium

CVE-2021-20732

The ATOM (ATOM - Smart life App for Android versions prior to 1.8.1 and ATOM - Smart life App for iOS versions prior to 1.8.2) does not verify server certificate properly, which allows man-in-the-mid…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-06-08
High

CVE-2021-21559

Dell EMC NetWorker, versions 18.x, 19.1.x, 19.2.x 19.3.x, 19.4, and 19.4.0.1 contain an Improper Certificate Validation vulnerability in the client (NetWorker Management Console) components which use…

CVSS: 7.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2021-22212

ntpkeygen can generate keys that ntpd fails to parse. NTPsec 1.2.0 allows ntpkeygen to generate keys with '#' characters. ntpd then either pads, shortens the key, or fails to load these keys entirely…

CVSS: 4.0 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2021-06-06
High

CVE-2021-33879

Tencent GameLoop before 4.1.21.90 downloaded updates over an insecure HTTP connection. A malicious attacker in an MITM position could spoof the contents of an XML document describing an update packag…

CVSS: 8.1 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
2021-06-04
Medium

CVE-2021-3565

A flaw was found in tpm2-tools in versions before 5.1.1 and before 4.3.2. tpm2_import used a fixed AES key for the inner wrapper, potentially allowing a MITM attacker to unwrap the inner portion and…

CVSS: 5.9 CWE: CWE-665 - Improper Initialization View on NVD
2021-05-27
High

CVE-2020-14387

A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with host mismatch vulnerability. A remote, unauthenticated attacker could exploit the flaw by performing…

CVSS: 7.4 CWE: CWE-297 - Improper Validation of Certificate with Host Mismatch View on NVD
High

CVE-2021-22909

A vulnerability found in EdgeMAX EdgeRouter V2.0.9 and earlier could allow a malicious actor to execute a man-in-the-middle (MitM) attack during a firmware update. This vulnerability is fixed in Edge…

CVSS: 7.5 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
High

CVE-2020-17514

Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful.

CVSS: 7.4 CWE: N/A View on NVD
2021-05-26
Medium

CVE-2018-16499

In VOS compromised, an attacker at network endpoints can possibly view communications between an unsuspecting user and the service using man-in-the-middle attacks. Usage of unapproved SSH encryption…

CVSS: 5.9 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
2021-05-24
Medium

CVE-2020-26558

Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authe…

CVSS: 4.2 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2021-3485

An Improper Input Validation vulnerability in the Product Update feature of Bitdefender Endpoint Security Tools for Linux allows a man-in-the-middle attacker to abuse the DownloadFile function of the…

CVSS: 6.4 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
2021-05-21
Medium

CVE-2008-3280

It was found that various OpenID Providers (OPs) had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator (CVE-2008-0166). In combination with th…

CVSS: 5.9 CWE: CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) View on NVD
2021-05-20
Medium

CVE-2021-29692

IBM Security Identity Manager 7.0.2 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit t…

CVSS: 5.9 CWE: N/A View on NVD
2021-05-17
Medium

CVE-2021-29043

The Portal Store module in Liferay Portal 7.0.0 through 7.3.5, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 1 does not obfuscate the…

CVSS: 5.9 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2021-05-14
Medium

CVE-2021-20564

IBM Cloud Pak for Security (CP4S) 1.4.0.0, 1.5.0.0, 1.5.0.1, 1.6.0.0, and 1.6.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict T…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Medium

CVE-2020-27184

The NPort IA5000A Series devices use Telnet as one of the network device management services. Telnet does not support the encryption of client-server communications, making it vulnerable to Man-in-th…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2021-05-13
Low

CVE-2021-22138

In Logstash versions after 6.4.0 and before 6.8.15 and 7.12.0 a TLS certificate validation flaw was found in the monitoring feature. When specifying a trusted server CA certificate Logstash would not…

CVSS: 3.7 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-05-10
Medium

CVE-2021-3003

Agenzia delle Entrate Desktop Telematico 1.0.0 contacts the jws.agenziaentrate.it server over cleartext HTTP, which allows man-in-the-middle attackers to spoof product updates.

CVSS: 5.3 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2021-04-27
Medium

CVE-2019-25031

Unbound before 1.9.5 allows configuration injection in create_unbound_ad_servers.sh upon a successful man-in-the-middle attack against a cleartext HTTP session. NOTE: The vendor does not consider thi…

CVSS: 5.9 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2021-04-26
Medium

CVE-2021-3494

A smart proxy that provides a restful API to various sub-systems of the Foreman is affected by the flaw which can cause a Man-in-the-Middle attack. The FreeIPA module of Foreman smart proxy does not…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2021-04-08
Medium

CVE-2021-3448

A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the net…

CVSS: 4.0 CWE: CWE-358 - Improperly Implemented Security Check for Standard View on NVD
2021-04-06
High

CVE-2021-27899

The Proofpoint Insider Threat Management Agents (formerly ObserveIT Agent) for MacOS and Linux perform improper validation of the ITM Server's certificate, which enables a remote attacker to intercep…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-04-02
Medium

CVE-2021-28124

A man-in-the-middle vulnerability in Cohesity DataPlatform support channel in version 6.3 up to 6.3.1g, 6.4 up to 6.4.1c and 6.5.1 through 6.5.1b. Missing server authentication in impacted versions c…

CVSS: 5.9 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2021-04-01
Low

CVE-2021-22890

curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.…

CVSS: 3.7 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
2021-03-29
Critical

CVE-2020-35138

The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the submission of username/password details during the authentication process, as demo…

CVSS: 9.8 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
2021-03-26
High

CVE-2021-21374

Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS without full veri…

CVSS: 8.1 CWE: CWE-348 - Use of Less Trusted Source View on NVD
High

CVE-2021-21373

Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS by default. In ca…

CVSS: 7.5 CWE: CWE-348 - Use of Less Trusted Source View on NVD
2021-03-24
High

CVE-2021-21385

Mifos-Mobile Android Application for MifosX is an Android Application built on top of the MifosX Self-Service platform. Mifos-Mobile before commit e505f62 disables HTTPS hostname verification of its…

CVSS: 8.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2021-1433

A vulnerability in the vDaemon process in Cisco IOS XE SD-WAN Software could allow an unauthenticated, remote attacker to cause a buffer overflow on an affected device. This vulnerability is due to i…

CVSS: 8.1 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2021-03-19
Medium

CVE-2021-21390

MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-17T02-33-02Z, there is a vulnera…

CVSS: 6.5 CWE: CWE-924 - Improper Enforcement of Message Integrity During Transmission in a Communication Channel View on NVD
2021-03-10
Medium

CVE-2020-15260

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.10 and earlier, P…

CVSS: 6.8 CWE: CWE-297 - Improper Validation of Certificate with Host Mismatch View on NVD
2021-02-26
High

CVE-2021-26566

Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary comman…

CVSS: 8.3 CWE: CWE-201 - Insertion of Sensitive Information Into Sent Data View on NVD
High

CVE-2021-26565

Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive informati…

CVSS: 8.3 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
High

CVE-2021-26564

Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP…

CVSS: 8.3 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Critical

CVE-2021-26562

Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HT…

CVSS: 9.0 CWE: CWE-787 - Out-of-bounds Write View on NVD
Critical

CVE-2021-26561

Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder…

CVSS: 9.0 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
Critical

CVE-2021-26560

Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via…

CVSS: 9.0 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2021-02-25
Medium

CVE-2021-20328

Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in comb…

CVSS: 6.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2021-20327

A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network pos…

CVSS: 6.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-02-19
Medium

CVE-2020-24393

TweetStream 2.6.1 uses the library eventmachine in an insecure way that does not have TLS hostname validation. This allows an attacker to perform a man-in-the-middle attack.

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2020-24392

In voloko twitter-stream 0.1.10, missing TLS hostname validation allows an attacker to perform a man-in-the-middle attack against users of the library (because eventmachine is misused).

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-02-12
Medium

CVE-2021-22981

On all versions of BIG-IP 12.1.x and 11.6.x, the original TLS protocol includes a weakness in the master secret negotiation that is mitigated by the Extended Master Secret (EMS) extension defined in…

CVSS: 4.8 CWE: N/A View on NVD
Medium

CVE-2021-20410

IBM Security Verify Information Queue 1.0.6 and 1.0.7 sends user credentials in plain clear text which can be read by an authenticated user using man in the middle techniques. IBM X-Force ID: 198190.

CVSS: 5.3 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
Medium

CVE-2021-20409

IBM Security Verify Information Queue 1.0.6 and 1.0.7 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attack…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Medium

CVE-2021-20649

ELECOM WRC-300FEBK-S contains an improper certificate validation vulnerability. Via a man-in-the-middle attack, an attacker may alter the communication response. As a result, an arbitrary OS command…

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-02-06
Medium

CVE-2020-5812

Nessus AMI versions 8.12.0 and earlier were found to either not validate, or incorrectly validate, a certificate which could allow an attacker to spoof a trusted entity by using a man-in-the-middle (…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-02-02
Medium

CVE-2019-25017

An issue was discovered in rcp in MIT krb5-appl through 1.0.3. Due to the rcp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, t…

CVSS: 5.9 CWE: CWE-863 - Incorrect Authorization View on NVD
2021-01-29
High

CVE-2021-3336

DoTls13CertificateVerify in tls13.c in wolfSSL before 4.7.0 does not cease processing for certain anomalous peer behavior (sending an ED22519, ED448, ECC, or RSA signature without the corresponding c…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-01-27
Medium

CVE-2020-4816

IBM Cloud Pak for Security (CP4S) 1.4.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exp…

CVSS: 5.9 CWE: CWE-862 - Missing Authorization View on NVD
2021-01-21
Medium

CVE-2020-4969

IBM Security Identity Governance and Intelligence 5.2.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An atta…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2021-01-20
High

CVE-2021-1277

Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) could allow an attacker to spoof a trusted host or construct a man-in-the-middle attack to extract sensitive information or alter…

CVSS: 7.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2021-1276

Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) could allow an attacker to spoof a trusted host or construct a man-in-the-middle attack to extract sensitive information or alter…

CVSS: 7.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
Low

CVE-2020-25685

A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only u…

CVSS: 3.7 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
Low

CVE-2020-25684

A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pendin…

CVSS: 3.7 CWE: CWE-358 - Improperly Implemented Security Check for Standard View on NVD
2021-01-12
Medium

CVE-2020-28395

A vulnerability has been identified in SCALANCE X-200RNA switch family (All versions < V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < V4.1.0). Devices do n…

CVSS: 5.9 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
Medium

CVE-2020-28391

A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions < V5.2.5), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5…

CVSS: 5.9 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
2021-01-07
Medium

CVE-2020-4893

IBM Emptoris Strategic Supply Management 10.1.0, 10.1.1, and 10.1.3 transmits sensitive information in HTTP GET request parameters. This may lead to information disclosure via man in the middle metho…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2020-12-30
High

CVE-2020-10209

Command Injection in the CPE WAN Management Protocol (CWMP) registration in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows man-in-…

CVSS: 8.1 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2020-12-24
High

CVE-2020-28912

With MariaDB running on Windows, when local clients connect to the server over named pipes, it's possible for an unprivileged user with an ability to run code on the server machine to intercept the n…

CVSS: 7.0 CWE: N/A View on NVD
Medium

CVE-2020-28190

TerraMaster TOS <= 4.2.06 was found to check for updates (of both system and applications) via an insecure channel (HTTP). Man-in-the-middle attackers are able to intercept these requests and serve a…

CVSS: 5.9 CWE: N/A View on NVD
Medium

CVE-2020-5684

iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express does not verify a server certificate properly, which allows a man-in-the-middle attacker to…

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2020-12-21
Medium

CVE-2020-4841

IBM Security Secret Server 10.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this…

CVSS: 5.9 CWE: CWE-862 - Missing Authorization View on NVD
2020-12-16
Medium

CVE-2020-4905

IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4 could allow an remote attacker to obtain sensitive information, caused by a man in the middle attack. By SSL striping, an…

CVSS: 5.9 CWE: N/A View on NVD
2020-12-14
High

CVE-2020-14368

A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing…

CVSS: 7.1 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2020-12-11
Medium

CVE-2020-17470

An issue was discovered in FNET through 4.6.4. The code that initializes the DNS client interface structure does not set sufficiently random transaction IDs (they are always set to 1 in _fnet_dns_pol…

CVSS: 5.3 CWE: CWE-330 - Use of Insufficiently Random Values View on NVD
High

CVE-2020-17439

An issue was discovered in uIP 1.0, as used in Contiki 3.0 and other products. The code that parses incoming DNS packets does not validate that the incoming DNS replies match outgoing DNS queries in…

CVSS: 8.3 CWE: CWE-20 - Improper Input Validation View on NVD
2020-12-08
Medium

CVE-2020-26234

Opencast before versions 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests. Hostname verification is an important part when usin…

CVSS: 4.8 CWE: CWE-346 - Origin Validation Error View on NVD
2020-11-29
Medium

CVE-2020-29380

An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2020-11-24
Medium

CVE-2020-29055

An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN,…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2020-11-23
Low

CVE-2020-25688

A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all…

CVSS: 3.5 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
Medium

CVE-2020-4783

IBM Spectrum Protect Plus 10.1.0 through 10.1.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker cou…

CVSS: 5.9 CWE: CWE-862 - Missing Authorization View on NVD
2020-11-19
High

CVE-2020-8279

Missing validation of server certificates for out-going connections in Nextcloud Social < 0.4.0 allowed a man-in-the-middle attack.

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2020-11-16
High

CVE-2020-25694

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections onl…

CVSS: 8.1 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2020-10-29
Medium

CVE-2020-27657

Cleartext transmission of sensitive information vulnerability in DDNS in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to eavesdrop authentication information of…

CVSS: 6.5 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Medium

CVE-2020-27656

Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication informa…

CVSS: 6.5 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
High

CVE-2020-27653

Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecifi…

CVSS: 8.3 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
High

CVE-2020-27652

Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via u…

CVSS: 8.3 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
High

CVE-2020-27649

Improper certificate validation vulnerability in OpenVPN client in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information…

CVSS: 8.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2020-27648

Improper certificate validation vulnerability in OpenVPN client in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive inf…

CVSS: 8.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
2020-10-28
High

CVE-2020-8241

A vulnerability in the Pulse Secure Desktop Client < 9.1R9 could allow the attacker to perform a MITM Attack if end users are convinced to connect to a malicious server.

CVSS: 7.5 CWE: N/A View on NVD
2020-10-21
High

CVE-2020-3549

A vulnerability in the sftunnel functionality of Cisco Firepower Management Center (FMC) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to…

CVSS: 8.1 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
2020-10-20
Medium

CVE-2020-3993

VMware NSX-T (3.x before 3.0.2, 2.5.x before 2.5.2.2.0) contains a security vulnerability that exists in the way it allows a KVM host to download and install packages from NSX manager. A malicious ac…

CVSS: 5.9 CWE: N/A View on NVD
2020-10-09
Medium

CVE-2020-13955

HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connec…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2020-10-02
High

CVE-2020-15589

A design issue was discovered in GetInternetRequestHandle, InternetSendRequestEx and InternetSendRequestByBitrate in the client side of Zoho ManageEngine Desktop Central 10.0.552.W and Remote Access…

CVSS: 8.1 CWE: N/A View on NVD
2020-09-24
High

CVE-2016-11086

lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2020-09-22
Medium

CVE-2020-24619

In mainwindow.cpp in Shotcut before 20.09.13, the upgrade check misuses TLS because of setPeerVerifyMode(QSslSocket::VerifyNone). A man-in-the-middle attacker could offer a spoofed download resource.

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2020-09-18
Medium

CVE-2020-15767

An issue was discovered in Gradle Enterprise before 2020.2.5. The cookie used to convey the CSRF prevention token is not annotated with the “secure” attribute, which allows an attacker with the abili…

CVSS: 5.3 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2020-09-17
Low

CVE-2020-15187

In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an a…

CVSS: 3.0 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
Low

CVE-2020-15185

In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access t…

CVSS: 2.2 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2020-09-16
Medium

CVE-2020-6781

Improper certificate validation for certain connections in the Bosch Smart Home System App for iOS prior to version 9.17.1 potentially allows to intercept video contents by performing a man-in-the-mi…

CVSS: 6.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2020-09-11
Medium

CVE-2020-1596

<p>A information disclosure vulnerability exists when TLS components use weak hash algorithms. An attacker who successfully exploited this vulnerability could obtain information to further compromise…

CVSS: 5.4 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
High

CVE-2020-1013

<p>An elevation of privilege vulnerability exists when Microsoft Windows processes group policy updates. An attacker who successfully exploited this vulnerability could potentially escalate permissio…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2020-15802

Devices supporting Bluetooth before 5.1 may allow man-in-the-middle attacks, aka BLURtooth. Cross Transport Key Derivation in Bluetooth Core Specification v4.2 and v5.0 may permit an unauthenticated…

CVSS: 5.9 CWE: CWE-287 - Improper Authentication View on NVD
2020-09-10
Medium

CVE-2020-13920

Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and ca…

CVSS: 5.9 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2020-09-09
High

CVE-2020-6302

SAP Commerce versions 6.7, 1808, 1811, 1905, 2005 contains the jSession ID in the backoffice URL when the application is loaded initially. An attacker can get this session ID via shoulder surfing or…

CVSS: 8.1 CWE: CWE-384 - Session Fixation View on NVD
2020-09-01
Medium

CVE-2020-13946

In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to m…

CVSS: 5.9 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
2020-08-31
Medium

CVE-2020-11617

The RSS application on THOMSON THT741FTA 2.2.1 and Philips DTR3502BFTA DVB-T2 2.2.1 set-top boxes doesn't validate the SSL certificates of RSS servers, which allows a man-in-the-middle attacker to mo…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2020-08-27
Medium

CVE-2020-4175

IBM Security Guardium Insights 2.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit…

CVSS: 5.9 CWE: CWE-862 - Missing Authorization View on NVD
2020-08-26
High

CVE-2019-4689

IBM Security Guardium Data Encryption (GDE) 3.0.0.2 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker…

CVSS: 7.5 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Medium

CVE-2020-15486

An issue was discovered on Dr Trust ECG Pen 2.00.08 devices. Because the Bluetooth LE support is implemented without a requirement for pairing or security, any attacker can access the GATT server of…

CVSS: 6.5 CWE: N/A View on NVD
High

CVE-2020-5913

In versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.2, the BIG-IP Client or Server SSL profile ignores revoked certificates, even when a valid CRL is pre…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD