Total
1192 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-50356 | 1 Areal-topkapi | 1 Vision Server | 2025-06-17 | 6.5 Medium |
| SSL connections to some LDAP servers are vulnerable to a man-in-the-middle attack due to improper certificate validation in AREAL Topkapi Vision (Server). This allows a remote unauthenticated attacker to gather sensitive information and prevent valid users from login. | ||||
| CVE-2023-28807 | 1 Zscaler | 1 Secure Internet And Saas Access | 2025-06-17 | 5.1 Medium |
| In Zscaler Internet Access (ZIA) a mismatch between Connect Host and Client Hello's Server Name Indication (SNI) enables attackers to evade network security controls by hiding their communications within legitimate traffic. | ||||
| CVE-2023-6043 | 1 Lenovo | 1 Vantage | 2025-06-17 | 7.8 High |
| A privilege escalation vulnerability was reported in Lenovo Vantage that could allow a local attacker to bypass integrity checks and execute arbitrary code with elevated privileges. | ||||
| CVE-2023-33760 | 1 Splicecom | 1 Maximiser Soft Pbx | 2025-06-17 | 5.3 Medium |
| SpliceCom Maximiser Soft PBX v1.5 and before was discovered to utilize a default SSL certificate. This issue can allow attackers to eavesdrop on communications via a man-in-the-middle attack. | ||||
| CVE-2023-33295 | 1 Cohesity | 1 Cohesity Dataplatform | 2025-06-17 | 6.5 Medium |
| Cohesity DataProtect prior to 6.8.1_u5 or 7.1 was discovered to have a incorrect access control vulnerability due to a lack of TLS Certificate Validation. | ||||
| CVE-2025-22874 | 2025-06-16 | 7.5 High | ||
| Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon. | ||||
| CVE-2025-36041 | 1 Ibm | 1 Mq Operator | 2025-06-16 | 4.7 Medium |
| IBM MQ Operator LTS 2.0.0 through 2.0.29, MQ Operator CD 3.0.0, 3.0.1, 3.1.0 through 3.1.3, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1 through 3.5.3, and MQ Operator SC2 3.2.0 through 3.2.12 Native HA CRR could be configured with a private key and chain other than the intended key which could disclose sensitive information or allow the attacker to perform unauthorized actions. | ||||
| CVE-2024-43550 | 1 Microsoft | 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more | 2025-06-16 | 7.4 High |
| Windows Secure Channel Spoofing Vulnerability | ||||
| CVE-2025-32407 | 1 Samsung | 1 Internet | 2025-06-12 | 5.9 Medium |
| Samsung Internet for Galaxy Watch version 5.0.9, available up until Samsung Galaxy Watch 3, does not properly validate TLS certificates, allowing for an attacker to impersonate any and all websites visited by the user. This is a critical misconfiguration in the way the browser validates the identity of the server. It negates the use of HTTPS as a secure channel, allowing for Man-in-the-Middle attacks, stealing sensitive information or modifying incoming and outgoing traffic. NOTE: This vulnerability is in an end-of-life product that is no longer maintained by the vendor. | ||||
| CVE-2025-24471 | 1 Fortinet | 1 Fortios | 2025-06-12 | 6 Medium |
| AnĀ Improper Certificate Validation vulnerability [CWE-295] in FortiOS version 7.6.1 and below, version 7.4.7 and below may allow an EAP verified remote user to connect from FortiClient via revoked certificate. | ||||
| CVE-2018-1000500 | 1 Busybox | 1 Busybox | 2025-06-09 | 6.5 Medium |
| Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file". | ||||
| CVE-2021-22924 | 8 Debian, Fedoraproject, Haxx and 5 more | 55 Debian Linux, Fedora, Libcurl and 52 more | 2025-06-09 | 3.7 Low |
| libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate. | ||||
| CVE-2025-30279 | 2025-06-09 | N/A | ||
| An improper certificate validation vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later | ||||
| CVE-2025-33031 | 2025-06-09 | N/A | ||
| An improper certificate validation vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later | ||||
| CVE-2025-27820 | 2025-06-04 | 7.5 High | ||
| A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release | ||||
| CVE-2024-0057 | 2 Microsoft, Redhat | 19 .net, .net Framework, Powershell and 16 more | 2025-06-03 | 9.1 Critical |
| NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability | ||||
| CVE-2024-41334 | 1 Draytek | 40 Vigor165, Vigor165 Firmware, Vigor166 and 37 more | 2025-06-03 | 8.8 High |
| Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 were discovered to not utilize certificate verification, allowing attackers to upload crafted APPE modules from non-official servers, leading to arbitrary code execution. | ||||
| CVE-2022-26766 | 1 Apple | 6 Ipados, Iphone Os, Mac Os X and 3 more | 2025-05-30 | 5.5 Medium |
| A certificate parsing issue was addressed with improved checks. This issue is fixed in tvOS 15.5, iOS 15.5 and iPadOS 15.5, Security Update 2022-004 Catalina, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.4. A malicious app may be able to bypass signature validation. | ||||
| CVE-2025-5025 | 2025-05-30 | 4.8 Medium | ||
| libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing. | ||||
| CVE-2021-31399 | 1 2n | 2 Access Unit 2.0, Access Unit 2.0 Firmware | 2025-05-30 | 4.6 Medium |
| On 2N Access Unit 2.0 2.31.0.40.5 devices, an attacker can pose as the web relay for a man-in-the-middle attack. | ||||