57 matches found
The vulnerability of the SCADA system “SKADA-NEV”, which involves transmitting critical information in plaintext, allows a perpetrator to carry out a “man-in-the-middle” attack.
The vulnerability of the SCADA system “SKADA-NEV” is related to the transmission of critical information in plaintext. Exploiting this vulnerability allows a malicious actor to carry out a “man-in-the-middle” attack...
CVE-2022-20081
In A-GPS, there is a possible man in the middle attack due to improper certificate validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06461919; Issue ID: ALPS06461919...
ALPACA is an application layer protocol content confusion attack exploiting TLS servers implementing different protocols but using compatible certificates such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.
...
UCWeb 安全漏洞
UCWeb is a browser. A security vulnerability exists in UCWeb versions 12.12.3.1219 through 12.12.3.1226, which stems from the use of the plaintext HTTP protocol in the affected software versions. An attacker could use the vulnerability to conduct a man-in-the-middle attack to discover the URLs...
CVE-2021-20564
IBM Cloud Pak for Security CP4S 1.4.0.0, 1.5.0.0, 1.5.0.1, 1.6.0.0, and 1.6.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information usin...
Cohesity DataPlatform 访问控制错误漏洞
Cohesity DataPlatform is a suite of platforms from Cohesity for managing ancillary data and applications. The platform is primarily used for data backup, instant recovery, and more. Cohesity DataPlatform An access control error vulnerability exists that allows an attacker to access a Cohesity...
TweetStream Trust Management Issue Vulnerability
Steve Agalloco TweetStream is an application from Steve Agallocoe Steve Agalloco, USA. Provides TweetStream provides simple Ruby access to Twitter's Streaming API. A vulnerability exists in TweetStream for trust management issues. The vulnerability stems from a failure to perform security checks ...
IBM Security Secret Server Information Disclosure Vulnerability (CNVD-2020-74622)
IBM Security Secret Server is a set of privileged access management solutions from IBM USA. The product supports password management, privileged account identification and privileged session access monitoring and logging. An information disclosure vulnerability exists in IBM Security Secret Serve...
CVE-2020-7520
A CWE-601: URL Redirection to Untrusted Site 'Open Redirect' vulnerability exists in Schneider Electric Software Update SESU, V2.4.0 and prior, which could cause execution of malicious code on the victim's machine. In order to exploit this vulnerability, an attacker requires privileged access on...
qpid-proton: TLS Man in the Middle Vulnerability
A cryptographic weakness was discovered in qpid-proton's use of TLS. If the qpid-proton client was used without client certificates, it would accept an anonymous cipher offered by the server. A man-in-the-middle attacker could use this to silently intercept traffic that should have been encrypted...
CVE-2018-1996
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could provide weaker than expected security, caused by the improper TLS configuration. A remote attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 154650...
CVE-2017-17691
Homeputer CL Studio fur HomeMatic 4.0 Rel 160808 and earlier uses cleartext to exchange the username and password between server and client instances, which allows remote attackers to obtain sensitive information via a man in the middle attack...
UBUNTU-CVE-2018-1139
A flaw was found in the way samba before 4.7.9 and 4.8.4 allowed the use of weak NTLMv1 authentication even when NTLMv1 was explicitly disabled. A man-in-the-middle attacker could use this flaw to read the credential and other details passed between the samba server and client...
CVE-2016-10693
pm2-kafka is a PM2 module that installs and runs a kafka server pm2-kafka downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested resources with an attacker controlled copy if the attacke...
OpenJDK: no default network operations timeouts in FtpClient (Networking, 8181612)
It was found that the FtpClient implementation in the Networking component of OpenJDK did not set connect and read timeouts by default. A malicious FTP server or a man-in-the-middle attacker could use this flaw to block execution of a Java application connecting to an FTP server...
Important vulnerabilities early warning: the Windows DNS client in the broke multiple heap buffer overflow flaws vulnerabilities in bug-bug warning-the black bar safety net
Microsoft has in the 2017 year 10 months official fix for the vulnerability CVE-2017-11779, the vulnerability includes the Windows DNS client in the plurality of memory corruption vulnerabilities, running Windows 8/Server 2012 and an updated version ofOSthe computer will be affected by this...
NetApp AltaVault Man-in-the-Middle Attack Vulnerability
NetApp AltaVault is a cloud storage solution from NetApp. The solution features scalability, data encryption, and support for data backup and recovery. A security vulnerability exists in NetApp AltaVault 4.1 and earlier versions. An attacker could use this vulnerability to conduct a...
CVE-2016-5648
Acer Portal app before 3.9.4.2000 for Android does not properly validate SSL certificates, which allows remote attackers to perform a Man-in-the-middle attack via a crafted SSL certificate...
Life Before Us Yo app for iOS Authentication Vulnerability
Life Before Us Yo app for iOS is an iOS based social mobile application developed by Yo Inc. An authentication vulnerability exists in version 2.5.8 of the Life Before Us Yo app for iOS, which stems from the program failing to validate an X.509 certificate on the server side of an SSL server. The...
jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name
It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service FPS merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows...