CVE Daily
← All tags

Tag: Mitm

All CVEs associated with "Mitm". Page 9/32 • 3809 CVEs.

Subscribe CVEs: RSS for “Mitm”  ·  RSS (High+Critical only)

About “Mitm”

A curated feed of “Mitm”-related CVEs appears below. We currently track 3809 CVEs for this tag (all time). In the last 365 days, 218 were published. Average CVSS is 6.1 (all time; 6.6 over 365d), and 25% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-295 - Improper Certificate Validation, CWE-319 - Cleartext Transmission of Sensitive Information, CWE-297 - Improper Validation of Certificate with Host Mismatch.

In our taxonomy this topic maps to a MODERATE impact class. Common exploitation patterns for this weakness can lead to moderate. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2019-11-14
High

CVE-2019-15388

The Coolpad 1851 Android device with a build fingerprint of Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keys contains a pre-installed platform app with a package name of com.lov…

CVSS: 8.1 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2019-15344

The Tecno Camon iClick Android device with a build fingerprint of TECNO/H633/TECNO-IN6:8.1.0/O11019/A-180409V96:user/release-keys contains a pre-installed platform app with a package name of com.love…

CVSS: 8.1 CWE: N/A View on NVD
2019-11-13
Medium

CVE-2010-4532

offlineimap before 6.3.2 does not check for SSL server certificate validation when "ssl = yes" option is specified which can allow man-in-the-middle attacks.

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2014-8167

vdsm and vdsclient does not validate certficate hostname from another vdsm which could facilitate a man-in-the-middle attack

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-11-09
Low

CVE-2009-3552

In RHEV-M VDC 2.2.0, it was found that the SSL certificate was not verified when using the client-side Red Hat Enterprise Virtualization Manager interface (a Windows Presentation Foundation (WPF) XAM…

CVSS: 3.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-11-08
High

CVE-2019-16209

A vulnerability, in The ReportsTrustManager class of Brocade SANnav versions before v2.0, could allow an attacker to perform a man-in-the-middle attack against Secure Sockets Layer(SSL)connections.

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-11-05
Medium

CVE-2013-5123

The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.

CVSS: 5.9 CWE: CWE-287 - Improper Authentication View on NVD
2019-11-04
High

CVE-2019-13496

One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows OTP bypass via vectors involving a man in the middle, the One Identity Defender product, and replacing a failed SAML response with a suc…

CVSS: 8.1 CWE: CWE-354 - Improper Validation of Integrity Check Value View on NVD
2019-10-29
Medium

CVE-2010-4237

Mercurial before 1.6.4 fails to verify the Common Name field of SSL certificates which allows remote attackers who acquire a certificate signed by a Certificate Authority to perform a man-in-the-midd…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-10-28
Medium

CVE-2019-5538

Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance (6.7 before 6.7u3…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2019-5537

Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance (6.7 before 6.7u3…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-10-22
Medium

CVE-2019-11674

Man-in-the-middle vulnerability in Micro Focus Self Service Password Reset, affecting all versions prior to 4.4.0.4. The vulnerability could exploit invalid certificate validation and may result in a…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-10-14
High

CVE-2019-14823

A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain.…

CVSS: 7.4 CWE: CWE-358 - Improperly Implemented Security Check for Standard View on NVD
2019-10-10
Medium

CVE-2019-1338

A security feature bypass vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLMv2 protection if a client is also sending LMv2 responses,…

CVSS: 5.9 CWE: N/A View on NVD
Medium

CVE-2019-1166

A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection, aka 'Windows NTLM Tampering V…

CVSS: 5.9 CWE: CWE-354 - Improper Validation of Integrity Check Value View on NVD
2019-10-09
High

CVE-2019-15022

A security vulnerability exists in Zingbox Inspector versions 1.294 and earlier, that allows for the Inspector to be susceptible to ARP spoofing.

CVSS: 7.5 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Medium

CVE-2019-0054

An Improper Certificate Validation weakness in the SRX Series Application Identification (app-id) signature update client of Juniper Networks Junos OS allows an attacker to perform Man-in-the-Middle…

CVSS: 6.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2019-5506

Clustered Data ONTAP versions 9.0 and higher do not enforce hostname verification under certain circumstances making them susceptible to impersonation via man-in-the-middle attacks.

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-10-08
Medium

CVE-2019-14845

A vulnerability was found in OpenShift builds, versions 4.1 up to 4.3. Builds that extract source from a container image, bypass the TLS hostname verification. An attacker can take advantage of this…

CVSS: 5.3 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
2019-09-30
Medium

CVE-2019-13467

Description: Western Digital SSD Dashboard before 2.5.1.0 and SanDisk SSD Dashboard before 2.5.1.0 applications are potentially vulnerable to man-in-the-middle attacks when the applications download…

CVSS: 5.9 CWE: N/A View on NVD
2019-09-27
Medium

CVE-2019-9414

In wpa_supplicant, there is a possible man in the middle vulnerability due to improper input validation of the basicConstraints field of intermediary certificates. This could lead to remote informati…

CVSS: 5.9 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2019-9399

The Print Service is susceptible to man in the middle attacks due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User inte…

CVSS: 5.9 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2019-09-25
High

CVE-2019-12665

A vulnerability in the HTTP client feature of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to read and modify data that should normally have been sent via an encrypte…

CVSS: 7.4 CWE: CWE-399 View on NVD
2019-09-18
High

CVE-2019-15843

A malicious file upload vulnerability was discovered in Xiaomi Millet mobile phones 1-6.3.9.3. A particular condition involving a man-in-the-middle attack may lead to partial data leakage or maliciou…

CVSS: 7.4 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2019-09-17
Low

CVE-2019-4171

IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, and 10.4.1 does not set the secure attribute on authorization tokens or session cookies. This could allow an attacker to obtain sensitive information usi…

CVSS: 3.7 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2019-09-05
Medium

CVE-2019-10753

In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving depende…

CVSS: 5.9 CWE: CWE-669 - Incorrect Resource Transfer Between Spheres View on NVD
2019-09-04
High

CVE-2019-12587

The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 allows the installation of a zero Pairwise Master Key (PMK) after the completion of any…

CVSS: 8.1 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2019-09-03
Medium

CVE-2019-3751

Dell EMC Enterprise Copy Data Management (eCDM) versions 1.0, 1.1, 2.0, 2.1, and 3.0 contain a certificate validation vulnerability. An unauthenticated remote attacker may potentially exploit this vu…

CVSS: 6.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-08-26
Medium

CVE-2016-10933

An issue was discovered in the portaudio crate through 0.7.0 for Rust. There is a man-in-the-middle issue because the source code is downloaded over cleartext HTTP.

CVSS: 5.9 CWE: CWE-254 View on NVD
Medium

CVE-2016-10932

An issue was discovered in the hyper crate before 0.9.4 for Rust on Windows. There is an HTTPS man-in-the-middle vulnerability because hostname verification was omitted.

CVSS: 4.8 CWE: CWE-254 View on NVD
High

CVE-2016-10931

An issue was discovered in the openssl crate before 0.9.0 for Rust. There is an SSL/TLS man-in-the-middle vulnerability because certificate verification is off by default and there is no API for host…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-08-23
Medium

CVE-2019-5592

Multiple padding oracle vulnerabilities (Zombie POODLE, GOLDENDOODLE, OpenSSL 0-length) in the CBC padding implementation of FortiOS IPS engine version 5.000 to 5.006, 4.000 to 4.036, 4.200 to 4.219,…

CVSS: 5.9 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
2019-08-21
Medium

CVE-2019-1948

A vulnerability in Cisco Webex Meetings Mobile (iOS) could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data by using an invalid Secure Sockets Layer (SSL)…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2019-12621

A vulnerability in Cisco HyperFlex Software could allow an unauthenticated, remote attacker to perform a man-in-the-middle attack. The vulnerability is due to insufficient key management. An attacker…

CVSS: 7.4 CWE: CWE-320 View on NVD
2019-08-13
Medium

CVE-2019-5280

The SIP TLS module of Huawei CloudLink Phone 7900 with V600R019C10 has a TLS certificate verification vulnerability. Due to insufficient verification of specific parameters of the TLS server certific…

CVSS: 6.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2019-10929

A vulnerability has been identified in SIMATIC CP 1626 (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) (All versions), SIMATIC ET 200SP Open Controller CPU 1515…

CVSS: 5.9 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
High

CVE-2019-14516

The mAadhaar application 1.2.7 for Android lacks SSL Certificate Validation, leading to man-in-the-middle attacks against requests for FAQs or Help.

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-07-31
High

CVE-2018-16860

A flaw was found in samba's Heimdal KDC implementation, versions 4.8.x up to, excluding 4.8.12, 4.9.x up to, excluding 4.9.8 and 4.10.x up to, excluding 4.10.3, when used in AD DC mode. A man in the…

CVSS: 7.5 CWE: CWE-358 - Improperly Implemented Security Check for Standard View on NVD
2019-07-30
High

CVE-2019-7615

A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0. When specifying a trusted server CA certificate via the 'server_ca_cert' setting, the Ruby agent would…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2019-5456

SMTP MITM refers to a malicious actor setting up an SMTP proxy server between the UniFi Controller version <= 5.10.21 and their actual SMTP server to record their SMTP credentials for malicious use l…

CVSS: 8.1 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
2019-07-29
High

CVE-2019-13498

One Identity Cloud Access Manager 8.1.3 does not use HTTP Strict Transport Security (HSTS), which may allow man-in-the-middle (MITM) attacks. This issue is fixed in version 8.1.4.

CVSS: 7.4 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2019-07-19
Medium

CVE-2019-12820

A vulnerability was found in the app 2.0 of the Shenzhen Jisiwei i3 robot vacuum cleaner. Actions performed on the app such as changing a password, and personal information it communicates with the s…

CVSS: 5.6 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2019-07-17
Medium

CVE-2019-1940

A vulnerability in the Web Services Management Agent (WSMA) feature of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to gain unauthorized read access to sens…

CVSS: 5.9 CWE: CWE-310 View on NVD
2019-07-12
High

CVE-2019-11242

A man-in-the-middle vulnerability related to vCenter access was found in Cohesity DataPlatform version 5.x and 6.x prior to 6.1.1c. Cohesity clusters did not verify TLS certificates presented by vCen…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-07-10
Medium

CVE-2019-11650

A potential Man in the Middle attack (MITM) was found in NetIQ Advanced Authentication Framework versions prior to 6.0.

CVSS: 5.9 CWE: N/A View on NVD
2019-07-05
High

CVE-2019-5982

Improper download file verification vulnerability in VAIO Update 7.3.0.03150 and earlier allows remote attackers to conduct a man-in-the-middle attack via a malicous wireless LAN access point. A succ…

CVSS: 7.5 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
High

CVE-2019-5961

The Android App 'Tootdon for Mastodon' version 3.4.1 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive in…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-07-03
High

CVE-2019-10103

JetBrains IntelliJ IDEA projects created using the Kotlin (JS Client/JVM Server) IDE Template were resolving Gradle artifacts using an http connection, potentially allowing an MITM attack. This issue…

CVSS: 8.1 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
High

CVE-2019-10102

JetBrains Ktor framework (created using the Kotlin IDE template) versions before 1.1.0 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack.…

CVSS: 8.1 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
High

CVE-2019-10101

JetBrains Kotlin versions before 1.3.30 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack.

CVSS: 8.1 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2019-07-02
Medium

CVE-2017-11578

It was discovered as a part of the research on IoT devices in the most recent firmware for Blipcare device that the device allows to connect to web management interface on a non-SSL connection using…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2019-06-28
High

CVE-2019-9843

In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolve…

CVSS: 7.5 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2019-06-25
Low

CVE-2019-4150

IBM Security Access Manager 9.0.1 through 9.0.6 does not validate, or incorrectly validates, a certificate which could allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM)…

CVSS: 3.7 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-06-17
Medium

CVE-2019-10997

An issue was discovered on Phoenix Contact AXC F 2152 (No.2404267) before 2019.0 LTS and AXC F 2152 STARTERKIT (No.1046568) before 2019.0 LTS devices. Protocol Fuzzing on PC WORX Engineer by a man in…

CVSS: 5.9 CWE: N/A View on NVD
2019-06-16
High

CVE-2019-12855

In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-06-14
High

CVE-2019-11770

In Eclipse Buildship versions prior to 3.1.1, the build files indicate that this project is resolving dependencies over HTTP instead of HTTPS. Any of these artifacts could have been MITM to malicious…

CVSS: 8.1 CWE: CWE-829 - Inclusion of Functionality from Untrusted Control Sphere View on NVD
2019-06-12
Medium

CVE-2019-3875

A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided…

CVSS: 6.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2019-1040

A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection. An attacker who successfully…

CVSS: 5.3 CWE: N/A View on NVD
2019-06-07
Critical

CVE-2018-10698

An issue was discovered on Moxa AWK-3121 1.14 devices. The device enables an unencrypted TELNET service by default. This allows an attacker who has been able to gain an MITM position to easily sniff…

CVSS: 9.8 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
High

CVE-2018-10694

An issue was discovered on Moxa AWK-3121 1.14 devices. The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wir…

CVSS: 8.1 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
High

CVE-2018-20135

Samsung Galaxy Apps before 4.4.01.7 allows modification of the hostname used for load balancing on installations of applications through a man-in-the-middle attack. An attacker may trick Galaxy Apps…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2019-8282

Gemalto Admin Control Center, all versions prior to 7.92, uses cleartext HTTP to communicate with www3.safenet-inc.com to obtain language packs. This allows attacker to do man-in-the-middle (MITM) at…

CVSS: 5.3 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
2019-06-04
Medium

CVE-2019-5215

There is a man-in-the-middle (MITM) vulnerability on Huawei P30 smartphones versions before ELE-AL00 9.1.0.162(C01E160R1P12/C01E160R2P1), and P30 Pro versions before VOG-AL00 9.1.0.162 (C01E160R1P12/…

CVSS: 6.8 CWE: N/A View on NVD
2019-05-29
Medium

CVE-2019-4264

IBM QRadar SIEM 7.2.8 WinCollect could allow an attacker to obtain sensitive information by spoofing a trusted entity using man in the middle techniques due to not validating or incorrectly validatin…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2019-4138

IBM Tivoli Storage Productivity Center 5.2.13 through 5.3.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. A…

CVSS: 5.9 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2019-05-16
High

CVE-2019-0734

An elevation of privilege vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully decode and replace authentication request using Kerberos, allowing an att…

CVSS: 8.1 CWE: N/A View on NVD
2019-05-15
High

CVE-2019-12098

In the client side of Heimdal before 7.6.0, failure to verify anonymous PKINIT PA-PKINIT-KX key exchange permits a man-in-the-middle attack. This issue is in krb5_init_creds_step in lib/krb5/init_cre…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-05-08
High

CVE-2018-5408

The PrinterLogic Print Management software, versions up to and including 18.3.1.96, does not validate, or incorrectly validates, the PrinterLogic management portal's SSL certificate. When a certifica…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-04-26
High

CVE-2019-9803

The Upgrade-Insecure-Requests (UIR) specification states that if UIR is enabled through Content Security Policy (CSP), navigation to a same-origin URL must be upgraded to HTTPS. Firefox will incorrec…

CVSS: 7.4 CWE: CWE-346 - Origin Validation Error View on NVD
High

CVE-2019-9798

On Android systems, Firefox can load a library from APITRACE_LIB, which is writable by all users and applications. This could allow malicious third party applications to execute a man-in-the-middle a…

CVSS: 7.4 CWE: CWE-426 - Untrusted Search Path View on NVD
2019-04-25
High

CVE-2018-1360

A cleartext transmission of sensitive information vulnerability in Fortinet FortiManager 5.2.0 through 5.2.7, 5.4.0 and 5.4.1 may allow an unauthenticated attacker in a man in the middle position to…

CVSS: 8.1 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2019-04-23
High

CVE-2019-0223

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously usin…

CVSS: 7.4 CWE: N/A View on NVD
2019-04-22
High

CVE-2019-10248

Eclipse Vorto versions prior to 0.11 resolved Maven build artifacts for the Xtext project over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MIT…

CVSS: 8.1 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
High

CVE-2019-11404

arrow-kt Arrow before 0.9.0 resolved Gradle build artifacts (for compiling and building the published JARs) over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously co…

CVSS: 8.1 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2019-04-18
Medium

CVE-2018-20200

CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE:…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-04-10
Medium

CVE-2019-11065

Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciou…

CVSS: 5.9 CWE: N/A View on NVD
2019-04-09
High

CVE-2017-17023

The Sophos UTM VPN endpoint interacts with client software provided by NPC Engineering (www.ncp-e.com). The affected client software, "Sophos IPSec Client" 11.04 is a rebranded version of NCP "Secure…

CVSS: 8.1 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2019-04-04
Medium

CVE-2019-1828

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to access administrative cre…

CVSS: 5.9 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
Medium

CVE-2014-3603

The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain…

CVSS: 5.9 CWE: CWE-297 - Improper Validation of Certificate with Host Mismatch View on NVD
2019-04-03
High

CVE-2019-10240

Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised b…

CVSS: 8.1 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
2019-04-02
High

CVE-2019-6531

An attacker could retrieve passwords from a HTTP GET request from the Kunbus PR100088 Modbus gateway versions prior to Release R02 (or Software Version 1.1.13166) if the attacker is in an MITM positi…

CVSS: 8.1 CWE: CWE-598 - Use of HTTP Request With Sensitive Query String View on NVD
High

CVE-2019-1010260

Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HT…

CVSS: 8.1 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2019-04-01
Medium

CVE-2018-13298

Channel accessible by non-endpoint vulnerability in privacy page in Synology Android Moments before 1.2.3-199 allows man-in-the-middle attackers to execute arbitrary code via unspecified vectors.

CVSS: 4.2 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
High

CVE-2018-13283

Lack of administrator control over security vulnerability in client.cgi in Synology SSL VPN Client before 1.2.5-0226 allows remote attackers to conduct man-in-the-middle attacks via the (1) command,…

CVSS: 8.8 CWE: CWE-671 - Lack of Administrator Control over Security View on NVD
2019-03-28
Medium

CVE-2019-10251

The UCWeb UC Browser application through 2019-03-26 for Android uses HTTP to download certain modules associated with PDF and Microsoft Office files (related to libpicsel), which allows MITM attacks.

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Medium

CVE-2019-10250

UCWeb UC Browser 7.0.185.1002 on Windows uses HTTP for downloading certain PDF modules, which allows MITM attacks.

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Medium

CVE-2019-1757

A vulnerability in the Cisco Smart Call Home feature of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data using an inval…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2019-1748

A vulnerability in the Cisco Network Plug-and-Play (PnP) agent of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-03-25
High

CVE-2019-3841

Kubevirt/virt-cdi-importer, versions 1.4.0 to 1.5.3 inclusive, were reported to disable TLS certificate validation when importing data into PVCs from container registries. This could enable man-in-th…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-03-21
High

CVE-2019-5729

Splunk-SDK-Python before 1.6.6 does not properly verify untrusted TLS server certificates, which could result in man-in-the-middle attacks.

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-03-11
High

CVE-2019-9686

pacman before 5.1.3 allows directory traversal when installing a remote package via a specified URL "pacman -U <url>" due to an unsanitized file name received from a Content-Disposition header. pacma…

CVSS: 8.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2019-03-05
Medium

CVE-2019-4063

IBM Sterling B2B Integrator 5.2.0.1 through 6.0.0.0 Standard Edition could allow highly sensitive information to be transmitted in plain text. An attacker could obtain this information using man in t…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2019-02-26
Medium

CVE-2019-6593

On BIG-IP 11.5.1-11.5.4, 11.6.1, and 12.1.0, a virtual server configured with a Client SSL profile may be vulnerable to a chosen ciphertext attack against CBC ciphers. When exploited, this may result…

CVSS: 5.9 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2019-02-25
High

CVE-2019-9146

Jamf Self Service 10.9.0 allows man-in-the-middle attackers to obtain a root shell by leveraging the "publish Bash shell scripts" feature to insert "/Applications/Utilities/Terminal app/Contents/MacO…

CVSS: 7.5 CWE: N/A View on NVD
2019-02-22
High

CVE-2019-7728

An issue was discovered in the Bosch Smart Camera App before 1.3.1 for Android. Due to improperly implemented TLS certificate checks, a malicious actor could potentially succeed in executing a man-in…

CVSS: 7.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-02-21
High

CVE-2019-1659

A vulnerability in the Identity Services Engine (ISE) integration feature of Cisco Prime Infrastructure (PI) could allow an unauthenticated, remote attacker to perform a man-in-the-middle attack agai…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-02-19
Medium

CVE-2018-1996

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could provide weaker than expected security, caused by the improper TLS configuration. A remote attacker could exploit this vulnerability to ob…

CVSS: 5.3 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2019-02-17
High

CVE-2019-7399

Amazon Fire OS before 5.3.6.4 allows a man-in-the-middle attack against HTTP requests for "Terms of Use" and Privacy pages.

CVSS: 7.4 CWE: CWE-346 - Origin Validation Error View on NVD
2019-02-15
Medium

CVE-2019-8345

The Help feature in the ES File Explorer File Manager application 4.1.9.7.4 for Android allows session hijacking by a Man-in-the-middle attacker on the local network because HTTPS is not used, and an…

CVSS: 4.2 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2019-02-11
High

CVE-2019-7722

PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when u…

CVSS: 8.1 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2019-02-08
Medium

CVE-2019-7628

Pagure 5.2 leaks API keys by e-mailing them to users. Few e-mail servers validate TLS certificates, so it is easy for man-in-the-middle attackers to read these e-mails and gain access to Pagure on be…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2019-02-05
Low

CVE-2017-1200

IBM BigFix Compliance 1.7 through 1.9.91 (TEMA SUAv1 SCA SCM) does not validate, or incorrectly validates, a certificate.This weakness might allow an attacker to spoof a trusted entity by using a man…

CVSS: 3.7 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-02-04
High

CVE-2019-7323

GUP (generic update process) in LightySoft LogMX before 7.4.0 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan hor…

CVSS: 7.5 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2019-01-31
High

CVE-2019-7283

An issue was discovered in rcp in NetKit through 0.17. For an rcp operation, the server chooses which files/directories are sent to the client. However, the rcp client only performs cursory validatio…

CVSS: 7.4 CWE: N/A View on NVD
Medium

CVE-2019-6111

An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only perf…

CVSS: 5.9 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2019-6110

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI c…

CVSS: 6.8 CWE: CWE-838 - Inappropriate Encoding for Output Context View on NVD
Medium

CVE-2019-6109

An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the…

CVSS: 6.8 CWE: CWE-116 - Improper Encoding or Escaping of Output View on NVD
2019-01-28
High

CVE-2019-3462

Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code executio…

CVSS: 8.1 CWE: N/A View on NVD
2019-01-20
Medium

CVE-2018-18908

The Sky Go Desktop application 1.0.19-1 through 1.0.23-1 for Windows performs several requests over cleartext HTTP. This makes the data submitted in these requests prone to Man in The Middle (MiTM) a…

CVSS: 5.9 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2019-01-18
High

CVE-2018-15784

Dell Networking OS10 versions prior to 10.4.3.0 contain a vulnerability in the Phone Home feature which does not properly validate the server's certificate authority during TLS handshake. Use of an i…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-01-09
Medium

CVE-2018-16187

The RICOH Interactive Whiteboard D2200 V1.3 to V2.2, D5500 V1.3 to V2.2, D5510 V1.3 to V2.2, the display versions with RICOH Interactive Whiteboard Controller Type1 V1.3 to V2.2 attached (D5520, D650…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2018-16179

The Mizuho Direct App for Android version 3.13.0 and earlier does not verify server certificates, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a craf…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-01-07
High

CVE-2018-5481

OnCommand Unified Manager for 7-Mode (core package) prior to 5.2.4 uses cookies that lack the secure attribute in certain circumstances making it vulnerable to impersonation via man-in-the-middle (MI…

CVSS: 7.4 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2018-12-20
High

CVE-2018-18767

An issue was discovered in D-Link 'myDlink Baby App' version 2.04.06. Whenever actions are performed from the app (e.g., change camera settings or play lullabies), it communicates directly with the W…

CVSS: 7.0 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
High

CVE-2018-15722

The Logitech Harmony Hub before version 4.15.206 is vulnerable to OS command injection via the time update request. A remote server or man in the middle can inject OS commands with a properly formatt…

CVSS: 8.1 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Critical

CVE-2018-1000836

bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of…

CVSS: 9.0 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
Critical

CVE-2018-1000834

runelite version <= runelite-parent-1.4.23 contains a XML External Entity (XXE) vulnerability in Man in the middle runscape services call that can result in Disclosure of confidential data, denial of…

CVSS: 9.0 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
Critical

CVE-2018-1000829

Anyplace version before commit 80359b4 contains a XML External Entity (XXE) vulnerability in Man in the middle on map API call that can result in Disclosure of confidential data, denial of service, S…

CVSS: 9.0 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
Critical

CVE-2018-1000828

FrostWire version <= frostwire-desktop-6.7.4-build-272 contains a XML External Entity (XXE) vulnerability in Man in the middle on update that can result in Disclosure of confidential data, denial of…

CVSS: 9.0 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2018-12-19
High

CVE-2018-17195

The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack…

CVSS: 7.5 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD