VYPR

CWE-295

Improper Certificate Validation

BaseDraft

Description

The product does not validate, or incorrectly validates, a certificate.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-459 · CAPEC-475

CVEs mapped to this weakness (720)

page 20 of 36
  • CVE-2017-2110MedApr 28, 2017
    risk 0.38cvss 5.9epss 0.01

    The Access CX App for Android prior to 2.0.0.1 and for iOS prior to 2.0.2 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

  • CVE-2016-1519MedApr 21, 2017
    risk 0.38cvss 5.9epss 0.01

    The com.softphone.common package in the Grandstream Wave app 1.0.1.26 and earlier for Android does not properly validate SSL certificates, which allows man-in-the-middle attackers to spoof the Grandstream provisioning server via a crafted certificate.

  • CVE-2016-1221MedApr 21, 2017
    risk 0.38cvss 5.9epss 0.01

    Jetstar App for iOS before 3.0.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

  • CVE-2016-1210MedApr 21, 2017
    risk 0.38cvss 5.9epss 0.01

    The 105 BANK app 1.0 and 1.1 for Android and 1.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

  • CVE-2016-1198MedApr 21, 2017
    risk 0.38cvss 5.9epss 0.01

    Photopt for Android before 2.0.1 does not verify SSL certificates.

  • CVE-2016-1186MedApr 21, 2017
    risk 0.38cvss 5.9epss 0.01

    Kintone mobile for Android 1.0.0 through 1.0.5 does not verify SSL server certificates.

  • CVE-2016-4840MedApr 21, 2017
    risk 0.38cvss 5.9epss 0.01

    Coordinate Plus App for Android 1.0.2 and earlier and Coordinate Plus App for iOS 1.0.2 and earlier do not verify SSL certificates.

  • CVE-2016-4832MedApr 21, 2017
    risk 0.38cvss 5.9epss 0.01

    WAON "Service Application" for Android 1.4.1 and earlier does not verify SSL certificates.

  • CVE-2016-4830MedApr 21, 2017
    risk 0.38cvss 5.9epss 0.01

    Sushiro App for iOS 2.1.16 and earlier and Sushiro App for Android 2.1.16.1 and earlier do not verify SSL certificates.

  • CVE-2016-4829MedApr 21, 2017
    risk 0.38cvss 5.9epss 0.01

    DMM Movie Player App for Android before 1.2.1, and DMM Movie Player App for iPhone/iPad before 2.1.3 does not verify SSL certificates.

  • CVE-2016-1184MedApr 21, 2017
    risk 0.38cvss 5.9epss 0.01

    Tokyo Star bank App for Android before 1.4 and Tokyo Star bank App for iOS before 1.4 do not validate SSL certificates.

  • CVE-2016-4818MedApr 20, 2017
    risk 0.38cvss 5.9epss 0.01

    DMMFX Trade for Android 1.5.0 and earlier, DMMFX DEMO Trade for Android 1.5.0 and earlier, and GAITAMEJAPAN FX Trade for Android 1.4.0 and earlier do not verify SSL certificates.

  • CVE-2016-9319MedMar 31, 2017
    risk 0.38cvss 5.9epss 0.01

    There is Missing SSL Certificate Validation in the Trend Micro Enterprise Mobile Security Android Application before 9.7.1193, aka VRTS-398.

  • CVE-2016-9892MedMar 2, 2017
    risk 0.38cvss 5.9epss 0.02

    The esets_daemon service in ESET Endpoint Antivirus for macOS before 6.4.168.0 and Endpoint Security for macOS before 6.4.168.0 does not properly verify X.509 certificates from the edf.eset.com SSL server, which allows man-in-the-middle attackers to spoof this server and provide…

  • CVE-2012-5821MedNov 4, 2012
    risk 0.38cvss 5.9epss 0.01

    Lynx does not verify that the server's certificate is signed by a trusted certification authority, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate, related to improper use of a certain GnuTLS function.

  • CVE-2012-5810MedNov 4, 2012
    risk 0.38cvss 5.9epss 0.00

    The Chase mobile banking application for Android does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary…

  • CVE-2011-0199MedJun 24, 2011
    risk 0.38cvss 5.9epss 0.01

    The Certificate Trust Policy component in Apple Mac OS X before 10.6.8 does not perform CRL checking for Extended Validation (EV) certificates that lack OCSP URLs, which might allow man-in-the-middle attackers to spoof an SSL server via a revoked certificate.

  • CVE-2026-22613MedFeb 9, 2026
    risk 0.37cvss 5.7epss 0.00

    The server identity check mechanism for firmware upgrade performed via command shell is insecurely implemented potentially allowing an attacker to perform a Man-in-the-middle attack. This security issue has been fixed in the latest firmware version of Eaton Network M3 which…

  • CVE-2025-48393MedAug 6, 2025
    risk 0.37cvss 5.7epss 0.00

    The server identity check mechanism for firmware upgrade performed via command shell is insecurely implemented potentially allowing an attacker to perform a Man-in-the-middle attack. This security issue has been fixed in the latest firmware version of Eaton G4 PDU which is…

  • CVE-2025-1001MedFeb 21, 2025
    risk 0.37cvss 5.7epss 0.00

    Medixant RadiAnt DICOM Viewer is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response…