118 matches found
CVE-2025-30199
ECOVACS vacuum robot base stations are described as not validating firmware updates and operating over an insecure Wi‑Fi link with a deterministic WPA2‑PSK key that can be derived from the device serial number. This enables potential malicious over‑the‑air updates or code execution through the up...
CVE-2025-30199 ECOVACS Vacuum and Base Station accept unsigned firmware
ECOVACS vacuum robot base stations do not validate firmware updates, so malicious over-the-air updates can be sent to base station via insecure connection between robot and base station...
CVE-2025-35115 Agiloft insecure download of system packages
Agiloft Release 28 downloads critical system packages over an insecure HTTP connection. An attacker in a Man-In-the-Middle position could replace or modify the contents of the download URL. Users should upgrade to Agiloft Release 30...
Agiloft 安全漏洞
Agiloft is a contract management platform from Agiloft Corporation in the United States. Agiloft has a security vulnerability that originates from the download of critical system packages over an insecure HTTP connection, which could lead to a man-in-the-middle attack...
CVE-2025-21450
Cryptographic issue occurs due to use of insecure connection method while downloading...
CVE-2025-21450
Cryptographic issue occurs due to use of insecure connection method while downloading...
CVE-2025-21450 Improper Authentication in GPS_GNSS
Cryptographic issue occurs due to use of insecure connection method while downloading...
CVE-2025-21450 Improper Authentication in GPS_GNSS
Cryptographic issue occurs due to use of insecure connection method while downloading...
CVE-2025-21450
CVE-2025-21450 describes a cryptographic issue arising from the use of an insecure connection method during download, affecting Qualcomm closed‑source components. The entry is labeled critical (CVSS 3.1: 9.1) with network attack vector and high impact on confidentiality and integrity. Connected d...
CVE-2025-5279 Issue with Amazon Redshift Python Connector and the BrowserAzureOAuth2CredentialsProvider plugin
When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider. An insecure connection could allow an actor to intercept the token exchange process and retrieve an access...
CVE-2019-10753
In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel http. If the build occurred over an insecure connection, a maliciou...
GHSA-95FC-G4GJ-MQMX Steve doesn’t verify a server’s certificate and is susceptible to man-in-the-middle (MitM) attacks
Impact A vulnerability has been identified in Steve where by default it was using an insecure option that did not validate the certificate presented by the remote server while performing a TLS connection. This could allow the execution of a man-in-the-middle MitM attack against services using...
CVE-2024-41768
IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 could allow a remote attacker to cause an unhandled SSL exception which could leave the connection in an unexpected or insecure state...
CVE-2024-8285
A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perfor...
CVE-2024-8285 Kroxylicious: missing upstream kafka tls hostname verification
A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perfor...
CVE-2024-8285
CVE-2024-8285 affects Kroxylicious, where TLS upstream connections to Kafka fail to verify the server hostname. This creates a potential for MITM and data integrity/confidentiality impact. Attacks require network access and, per the sources, may require high privileges to modify Kroxylicious conf...
CVE-2024-1657 Platform: insecure websocket used when interacting with eda server
A flaw was found in the ansible automation platform. An insecure WebSocket connection was being used in installation from the Ansible rulebook EDA server. An attacker that has access to any machine in the CIDR block could download all rulebook data from the WebSocket, resulting in loss of...
GOM Player 2.3.90.5360 MITM / Remote Code Execution Exploit
GOM Player version 2.3.90.5360 man-in-the-middle proof of concept remote code execution exploit. Exploit Title: GOM Player 2.3.90.5360 - Remote Code Execution RCE Author: M. Akil Gündoğan Contact: https://twitter.com/akilgundogan Vendor Homepage: https://www.gomlab.com/gomplayer-media-player/...
Google Chrome's New Feature Alerts Users About Auto-Removal of Malicious Extensions
Google has announced plans to add a new feature in the upcoming version of its Chrome web browser to proactively alert users when an extension they have installed has been removed from the Chrome Web Store. The feature, set for release alongside Chrome 117, allows users to be notified when an...
CVE-2023-30565
An insecure connection between Systems Manager and CQI Reporter application could expose infusion data to an attacker...