VYPR

CWE-295

Improper Certificate Validation

BaseDraft

Description

The product does not validate, or incorrectly validates, a certificate.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-459 · CAPEC-475

CVEs mapped to this weakness (720)

page 14 of 36
  • CVE-2017-14710MedJul 12, 2018
    risk 0.38cvss 5.9epss 0.01

    The Shein Group Ltd. "SHEIN - Fashion Shopping" app -- aka shein fashion-shopping/id878577184 -- for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

  • CVE-2017-14612MedJul 12, 2018
    risk 0.38cvss 5.9epss 0.01

    "Shpock Boot Sale & Classifieds" app before 3.17.0 -- aka shpock-boot-sale-classifieds/id557153158 -- for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

  • CVE-2018-1543MedJun 27, 2018
    risk 0.38cvss 5.9epss 0.01

    IBM WebSphere MQ 8.0 and 9.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly validate the SSL certificate. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM…

  • CVE-2018-10377MedJun 17, 2018
    risk 0.38cvss 5.9epss 0.01

    PortSwigger Burp Suite before 1.7.34 has Improper Certificate Validation of the Collaborator server certificate, which might allow man-in-the-middle attackers to obtain interaction data.

  • CVE-2016-9064MedJun 11, 2018
    risk 0.38cvss 5.9epss 0.01

    Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who could perform a man-in-the-middle attack on the user's connection to the update server and defeat the certificate pinning protection could…

  • CVE-2016-10534MedMay 31, 2018
    risk 0.38cvss 5.9epss 0.01

    electron-packager is a command line tool that packages Electron source code into `.app` and `.exe` packages. along with Electron. The `--strict-ssl` command line option in electron-packager >= 5.2.1 <= 6.0.0 || >=6.0.0 <= 6.0.2 defaults to false if not explicitly set to true.…

  • CVE-2018-0591MedMay 14, 2018
    risk 0.38cvss 5.9epss 0.01

    The KINEPASS App for Android Ver 3.1.1 and earlier, and for iOS Ver 3.1.2 and earlier do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

  • CVE-2017-2836MedApr 24, 2018
    risk 0.38cvss 5.9epss 0.01

    An exploitable denial of service vulnerability exists within the reading of proprietary server certificates in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge packet can cause the program termination leading to a denial of service condition. An attacker can…

  • CVE-2015-1777MedApr 12, 2018
    risk 0.38cvss 5.9epss 0.01

    rhnreg_ks in Red Hat Network Client Tools (aka rhn-client-tools) on Red Hat Gluster Storage 2.1 and Enterprise Linux (RHEL) 5, 6, and 7 does not properly validate hostnames in X.509 certificates from SSL servers, which allows remote attackers to prevent system registration via a…

  • CVE-2018-4086MedApr 3, 2018
    risk 0.38cvss 5.9epss 0.01

    An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. macOS before 10.13.3 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "Security" component. It allows remote attackers to spoof certificate…

  • CVE-2017-13863MedApr 3, 2018
    risk 0.38cvss 5.9epss 0.00

    An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "APNs" component. It allows man-in-the-middle attackers to track users by leveraging the transmission of client certificates.

  • CVE-2015-4954MedMar 27, 2018
    risk 0.38cvss 5.9epss 0.01

    IBM BigFix Remote Control before Interim Fix pack 9.1.2-TIV-IBRC912-IF0001 improperly allows self-signed certificates, which might allow remote attackers to conduct spoofing attacks via unspecified vectors. IBM X-Force ID: 105200.

  • CVE-2012-6709MedFeb 23, 2018
    risk 0.38cvss 5.9epss 0.01

    ELinks 0.12 and Twibright Links 2.3 have Missing SSL Certificate Validation.

  • CVE-2018-0518MedFeb 23, 2018
    risk 0.38cvss 5.9epss 0.01

    LINE for iOS version 7.1.3 to 7.1.5 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

  • CVE-2017-17455MedFeb 20, 2018
    risk 0.38cvss 5.9epss 0.01

    Mahara 16.10 before 16.10.7, 17.04 before 17.04.5, and 17.10 before 17.10.2 are vulnerable to being forced, via a man-in-the-middle attack, to interact with Mahara on the HTTP protocol rather than HTTPS even when an SSL certificate is present.

  • CVE-2017-12721MedFeb 15, 2018
    risk 0.38cvss 5.9epss 0.01

    An Improper Certificate Validation issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. The pump does not validate host certificates, leaving the pump vulnerable to a man-in-the-middle (MITM) attack.

  • CVE-2017-9968MedFeb 12, 2018
    risk 0.38cvss 5.9epss 0.01

    A security misconfiguration vulnerability exists in Schneider Electric's IGSS Mobile application versions 3.01 and prior in which a lack of certificate pinning during the TLS/SSL connection establishing process can result in a man-in-the-middle attack.

  • CVE-2018-5258MedJan 17, 2018
    risk 0.38cvss 5.9epss 0.01

    The Neon app 1.6.14 iOS does not verify X.509 certificates from SSL servers, which allows remote attackers to spoof servers and obtain sensitive information via a crafted certificate.

  • CVE-2015-2981MedJan 12, 2018
    risk 0.38cvss 5.9epss 0.01

    The Yodobashi App for Android 1.2.1.0 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

  • CVE-2017-1000415MedJan 9, 2018
    risk 0.38cvss 5.9epss 0.00

    MatrixSSL version 3.7.2 has an incorrect UTCTime date range validation in its X.509 certificate validation process resulting in some certificates have their expiration (beginning) year extended (delayed) by 100 years.