CVE-2025-54799 Lego does not enforce HTTPS

Let's Encrypt client and ACME library written in Go Lego. In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package thus the lego library and the lego cli as well don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME...

GHSA-Q82R-2J7M-9RV4 github.com/go-acme/lego/v4/acme/api does not enforce HTTPS

Summary It was discovered that the github.com/go-acme/lego/v4/acme/api package thus the lego library and the lego cli as well don't enforce HTTPS when talking to CAs as an ACME client. Details Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol...

github.com/go-acme/lego/v4/acme/api does not enforce HTTPS

Summary It was discovered that the github.com/go-acme/lego/v4/acme/api package thus the lego library and the lego cli as well don't enforce HTTPS when talking to CAs as an ACME client. Details Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol...

PT-2025-32239 · Go Acme +1 · Lego +1

Name of the Vulnerable Software and Affected Versions: Lego versions 4.25.1 and below Description: The github.com/go-acme/lego/v4/acme/api package, and consequently the Lego library and command-line interface, does not enforce HTTPS when communicating with Certificate Authorities CAs as an ACME...

CVE-2024-47871

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves insecure communication between the FRP Fast Reverse Proxy client and server when Gradio's share=True option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and rea...

PYSEC-2024-219

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves insecure communication between the FRP Fast Reverse Proxy client and server when Gradio's share=True option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and rea...

CVE-2022-32906

This issue was addressed with using HTTPS when sending information over the network. This issue is fixed in Apple Music 3.9.10 for Android. A user in a privileged network position may intercept SSL/TLS connections...

AZL-9891 CVE-2022-30115 affecting package curl for versions less than 7.83.1-1

Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or th...

CVE-2022-30115

Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or th...

Serious vulnerabilities fixed in Dell Wyse ThinOS

Vulnerabilities have been fixed in Dell Wyse ThinOS. A malicious person with access to a local FTP server could exploit the vulnerabilities to obtain sensitive information. The malicious party, by accessing this information and the ability to modify configuration files, the entire system. Dell ha...

Command Injection in wizard-syncronizer

All versions of wizard-syncronizer are vulnerable to Command Injection. The package does not validate input on the cloneAndSync function and concatenates it to an exec call. This can be abused through a malicious widget containing the payload in the gitURL value or through a MITM attack since the...

Command Injection

Overview All versions of wizard-syncronizer are vulnerable to Command Injection. The package does not validate input on the cloneAndSync function and concatenates it to an exec call. This can be abused through a malicious widget containing the payload in the gitURL value or through a MITM attack...

Gratipay: Cookie Does Not Contain The "secure" Attribute

Poc : https://gratipay.com/ -- optimizelyBuckets=%7B%7D; expires=Sat Mar 14 21:28:25 2026; path=/; domain=.gratipay.com; max-age=315359448,https://gratipay.com/ -- optimizelyEndUserId=oeu1458188905178r0.282567850779742; expires=Sat Mar 14 21:28:25 2026; path=/; domain=.gratipay.com;...

Mozilla Firefox Man-in-the-Middle Attack Vulnerability (CNVD-2016-00851)

Mozilla Firefox on Android is an open source web browser for the Android platform. Mozilla Firefox on Android fails to ensure that lightweight themes are installed using HTTPS, allowing remote attackers to perform man-in-the-middle attacks by modifying client-server data streams, changing theme...

KLA10748 Multiple vulnerabilities in Mozilla Firefox and Firefox ESR

Multiple serious vulnerabilities have been found in Mozilla Firefox. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security restrictions, spoof user interface and execute arbitrary code. Below is a complete list of vulnerabilities 1. Multiple memory safety...

Mozilla Moving Toward Full HTTPS Enforcement in Firefox

The Mozilla Foundation is initiating the process to phase out insecure HTTP connections in the Firefox browser. The decision is part of a broader movement to encrypt the Web, which in the case of Mozilla Firefox, means permitting only encrypted HTTPS browser connections. Mozilla is the developer ...

DUO-PSA-2020-003: Duo Product Security Advisory

Duo Product Security Advisory Advisory ID: DUO-PSA-2020-003 Publication Date: 2020-06-30 Revision Date: 2020-06-30 Status: Confirmed, Fixed Document Revision: 2 Overview Duo has identified and fixed an issue in the Duo Connect client that allows end-users to choose insecure configurations. If...