Total
1192 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-3218 | 1 Ibm | 1 I | 2025-07-03 | 5.4 Medium |
| IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 is vulnerable to authentication and authorization attacks due to incorrect validation processing in IBM i Netserver. A malicious actor could use the weaknesses, in conjunction with brute force authentication attacks or to bypass authority restrictions, to access the server. | ||||
| CVE-2024-40702 | 2 Ibm, Microsoft | 3 Cognos Controller, Controller, Windows | 2025-07-03 | 8.2 High |
| IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow an unauthorized user to obtain valid tokens to gain access to protected resources due to improper certificate validation. | ||||
| CVE-2025-6433 | 1 Mozilla | 1 Firefox | 2025-07-03 | 9.8 Critical |
| If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This vulnerability affects Firefox < 140. | ||||
| CVE-2025-34066 | 2025-07-03 | N/A | ||
| An improper certificate validation vulnerability exists in AVTECH IP cameras, DVRs, and NVRs due to the use of wget with --no-check-certificate in scripts like SyncCloudAccount.sh and SyncPermit.sh. This exposes HTTPS communications to man-in-the-middle (MITM) attacks. | ||||
| CVE-2025-6032 | 1 Redhat | 2 Enterprise Linux, Openshift | 2025-07-02 | 8.3 High |
| A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack. | ||||
| CVE-2024-23928 | 2025-07-01 | 6.5 Medium | ||
| This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of Pioneer DMH-WT7600NEX devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the telematics functionality, which operates over HTTPS. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. | ||||
| CVE-2020-35509 | 1 Redhat | 2 Keycloak, Red Hat Single Sign On | 2025-06-30 | 5.4 Medium |
| A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity. | ||||
| CVE-2024-23970 | 1 Chargepoint | 6 Home Flex Hardwired, Home Flex Hardwired Firmware, Home Flex Nema 14-50 Plug and 3 more | 2025-06-30 | 6.5 Medium |
| This vulnerability allows network-adjacent attackers to compromise transport security on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the CURLOPT_SSL_VERIFYHOST setting. The issue results from the lack of proper validation of the certificate presented by the server. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. | ||||
| CVE-2025-52919 | 2025-06-30 | 4.3 Medium | ||
| In Yealink YMCS RPS before 2025-05-26, the certificate upload function does not properly validate certificate content, potentially allowing invalid certificates to be uploaded. | ||||
| CVE-2024-5921 | 1 Paloaltonetworks | 1 Globalprotect | 2025-06-27 | 8.8 High |
| An insufficient certification validation issue in the Palo Alto Networks GlobalProtect app enables attackers to connect the GlobalProtect app to arbitrary servers. This can enable a local non-administrative operating system user or an attacker on the same subnet to install malicious root certificates on the endpoint and subsequently install malicious software signed by the malicious root certificates on that endpoint. Please subscribe to our RSS feed https://security.paloaltonetworks.com/rss.xml to be alerted to new updates to this and other advisories. | ||||
| CVE-2025-39205 | 2025-06-26 | 6.5 Medium | ||
| A vulnerability exists in the IEC 61850 in MicroSCADA X SYS600 product. The certificate validation of the TLS protocol allows remote Man-in-the-Middle attack due to missing proper validation. | ||||
| CVE-2025-29331 | 2025-06-26 | 9.8 Critical | ||
| An issue in MHSanaei 3x-ui before v.2.5.3 and before allows a remote attacker to execute arbitrary code via the management script x-ui passes the no check certificate option to wget when downloading updates | ||||
| CVE-2025-4947 | 1 Haxx | 1 Curl | 2025-06-26 | 6.5 Medium |
| libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks. | ||||
| CVE-2025-32878 | 2025-06-23 | 9.8 Critical | ||
| An issue was discovered on COROS PACE 3 devices through 3.0808.0. It implements a function to connect the watch to a WLAN. This function is mainly for downloading firmware files. Before downloading firmware files, the watch requests some information about the firmware via HTTPS from the back-end API. However, the X.509 server certificate within the TLS handshake is not validated by the device. This allows an attacker within an active machine-in-the-middle position, using a TLS proxy and a self-signed certificate, to eavesdrop and manipulate the HTTPS communication. This could be abused, for example, for stealing the API access token of the assigned user account. | ||||
| CVE-2024-0853 | 1 Haxx | 1 Curl | 2025-06-20 | 5.3 Medium |
| curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check. | ||||
| CVE-2023-33757 | 1 Splicecom | 2 Ipcs, Ipcs2 | 2025-06-20 | 5.9 Medium |
| A lack of SSL certificate validation in Splicecom iPCS (iOS App) v1.3.4, iPCS2 (iOS App) v2.8 and before, and iPCS (Android App) v1.8.5 and before allows attackers to eavesdrop on communications via a man-in-the-middle attack. | ||||
| CVE-2025-29885 | 1 Qnap | 1 File Station | 2025-06-18 | 8.8 High |
| An improper certificate validation vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers who have gained user access to compromise the security of the system. We have already fixed the vulnerability in the following versions: File Station 5 5.5.6.4791 and later and later | ||||
| CVE-2025-29884 | 1 Qnap | 1 File Station | 2025-06-18 | 8.8 High |
| An improper certificate validation vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers who have gained user access to compromise the security of the system. We have already fixed the vulnerability in the following versions: File Station 5 5.5.6.4791 and later and later | ||||
| CVE-2025-29883 | 1 Qnap | 1 File Station | 2025-06-18 | 8.8 High |
| An improper certificate validation vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers who have gained user access to compromise the security of the system. We have already fixed the vulnerability in the following versions: File Station 5 5.5.6.4791 and later and later | ||||
| CVE-2025-22486 | 1 Qnap | 1 File Station | 2025-06-18 | 8.8 High |
| An improper certificate validation vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers who have gained user access to compromise the security of the system. We have already fixed the vulnerability in the following versions: File Station 5 5.5.6.4791 and later and later | ||||