Total
2484 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-23919 | 2 Nodejs, Redhat | 2 Node.js, Enterprise Linux | 2025-04-30 | 7.5 High |
| A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service. | ||||
| CVE-2024-20690 | 1 Microsoft | 6 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 3 more | 2025-04-30 | 6.5 Medium |
| Windows Nearby Sharing Spoofing Vulnerability | ||||
| CVE-2017-3204 | 1 Golang | 1 Crypto | 2025-04-20 | 8.1 High |
| The Go SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey verification mechanism. | ||||
| CVE-2017-6766 | 1 Cisco | 1 Firesight System Software | 2025-04-20 | N/A |
| A vulnerability in the Secure Sockets Layer (SSL) Decryption and Inspection feature of Cisco Firepower System Software 5.4.0, 5.4.1, 6.0.0, 6.1.0, 6.2.0, 6.2.1, and 6.2.2 could allow an unauthenticated, remote attacker to bypass the SSL policy for decrypting and inspecting traffic on an affected system. The vulnerability is due to unexpected interaction with Known Key and Decrypt and Resign configuration settings of SSL policies when the affected software receives unexpected SSL packet headers. An attacker could exploit this vulnerability by sending a crafted SSL packet through an affected device in a valid SSL session. A successful exploit could allow the attacker to bypass the SSL decryption and inspection policy for the affected system, which could allow traffic to flow through the system without being inspected. Cisco Bug IDs: CSCve12652. | ||||
| CVE-2016-7585 | 1 Apple | 1 Mac Os X | 2025-04-20 | N/A |
| An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves mishandling of DMA in the "EFI" component. It allows physically proximate attackers to discover the FileVault 2 encryption password via a crafted Thunderbolt adapter. | ||||
| CVE-2016-7812 | 1 Mufg | 1 Mitsubishi Ufj | 2025-04-20 | N/A |
| The Bank of Tokyo-Mitsubishi UFJ, Ltd. App for Android ver5.3.1, ver5.2.2 and earlier allow a man-in-the-middle attacker to downgrade the communication between the app and the server from TLS v1.2 to SSL v3.0, which may result in the attacker to eavesdrop on an encrypted communication. | ||||
| CVE-2016-6329 | 1 Openvpn | 1 Openvpn | 2025-04-20 | N/A |
| OpenVPN, when using a 64-bit block cipher, makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTP-over-OpenVPN session using Blowfish in CBC mode, aka a "Sweet32" attack. | ||||
| CVE-2016-4457 | 1 Redhat | 2 Cloudforms Management Engine, Cloudforms Managementengine | 2025-04-20 | N/A |
| CloudForms Management Engine before 5.8 includes a default SSL/TLS certificate. | ||||
| CVE-2016-1919 | 1 Samsung | 1 Knox | 2025-04-20 | N/A |
| Samsung KNOX 1.0 uses a weak eCryptFS Key generation algorithm, which makes it easier for local users to obtain sensitive information by leveraging knowledge of the TIMA key and a brute-force attack. | ||||
| CVE-2016-10376 | 1 Gajim | 1 Gajim | 2025-04-20 | N/A |
| Gajim through 0.16.7 unconditionally implements the "XEP-0146: Remote Controlling Clients" extension. This can be abused by malicious XMPP servers to, for example, extract plaintext from OTR encrypted sessions. | ||||
| CVE-2015-8989 | 1 Mcafee | 1 Vulnerability Manager | 2025-04-20 | N/A |
| Unsalted password vulnerability in the Enterprise Manager (web portal) component in Intel Security McAfee Vulnerability Manager (MVM) 7.5.8 and earlier allows attackers to more easily decrypt user passwords via brute force attacks against the database. | ||||
| CVE-2015-9107 | 1 Zohocorp | 1 Manageengine Opmanager | 2025-04-20 | N/A |
| Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn't use a per-system key or even a salt; therefore, it's possible to create a universal decryptor. | ||||
| CVE-2016-0736 | 2 Apache, Redhat | 4 Http Server, Enterprise Linux, Jboss Core Services and 1 more | 2025-04-20 | N/A |
| In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC. | ||||
| CVE-2016-10136 | 1 Adups | 1 Adups Fota | 2025-04-20 | N/A |
| An issue was discovered on BLU R1 HD devices with Shanghai Adups software. The content provider named com.adups.fota.sysoper.provider.InfoProvider in the app with a package name of com.adups.fota.sysoper allows any app on the device to read, write, and delete files as the system user. In the com.adups.fota.sysoper app's AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. This allows a third-party app to read, write, and delete files owned by the system user. The third-party app can modify the /data/system/users/0/settings_secure.xml file to add an app as a notification listener to be able to receive the text of notifications as they are received on the device. This also allows the /data/system/users/0/accounts.db to be read which contains authentication tokens for various accounts on the device. The third-party app can obtain privileged information and also modify files to obtain more privileges on the device. | ||||
| CVE-2016-10137 | 1 Adups | 1 Adups Fota | 2025-04-20 | N/A |
| An issue was discovered on BLU R1 HD devices with Shanghai Adups software. The content provider named com.adups.fota.sysoper.provider.InfoProvider in the app with a package name of com.adups.fota.sysoper allows any app on the device to read, write, and delete files as the system user. In the com.adups.fota.sysoper app's AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. This allows a third-party app to read, write, and delete the user's sent and received text messages and call log. This allows a third-party app to obtain PII from the user without permission to do so. | ||||
| CVE-2016-10139 | 1 Adups | 1 Adups Fota | 2025-04-20 | N/A |
| An issue was discovered on BLU R1 HD devices with Shanghai Adups software. The two package names involved in the exfiltration are com.adups.fota and com.adups.fota.sysoper. In the com.adups.fota.sysoper app's AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. Therefore, the app executing as the system user has been granted a number of powerful permissions even though they are not present in the com.adups.fota.sysoper app's AndroidManifest.xml file. This app provides the com.adups.fota app access to the user's call log, text messages, and various device identifiers through the com.adups.fota.sysoper.provider.InfoProvider component. The com.adups.fota app uses timestamps when it runs and is eligible to exfiltrate the user's PII every 72 hours. If 72 hours have passed since the value of the timestamp, then the exfiltration will be triggered by the user plugging in the device to charge or when they leave or enter a wireless network. The exfiltration occurs in the background without any user interaction. | ||||
| CVE-2015-8013 | 1 Openpgpjs | 1 Openpgpjs | 2025-04-20 | N/A |
| s2k.js in OpenPGP.js will decrypt arbitrary messages regardless of passphrase for crafted PGP keys which allows remote attackers to bypass authentication if message decryption is used as an authentication mechanism via a crafted symmetrically encrypted PGP message. | ||||
| CVE-2015-8234 | 1 Openstack | 1 Glance | 2025-04-20 | N/A |
| The image signature algorithm in OpenStack Glance 11.0.0 allows remote attackers to bypass the signature verification process via a crafted image, which triggers an MD5 collision. | ||||
| CVE-2015-9003 | 1 Google | 1 Android | 2025-04-20 | N/A |
| In TrustZone a cryptographic issue can potentially occur in all Android releases from CAF using the Linux kernel. | ||||
| CVE-2015-7256 | 1 Zyxel | 50 C1000z, C1000z Firmware, Fr1000z and 47 more | 2025-04-20 | N/A |
| ZyXEL NWA1100-N, NWA1100-NH, NWA1121-NI, NWA1123-AC, and NWA1123-NI access points; P-660HN-51, P-663HN-51, VMG1312-B10A, VMG1312-B30A, VMG1312-B30B, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, VMG8924-B30A, and VSG1435-B101 DSL CPEs; PMG5318-B20A GPONs; SBG3300-N000, SBG3300-NB00, and SBG3500-N000 small business gateways; GS1900-8 and GS1900-24 switches; and C1000Z, Q1000, FR1000Z, and P8702N project models use non-unique X.509 certificates and SSH host keys. | ||||