CWE-295
Improper Certificate Validation
Description
The product does not validate, or incorrectly validates, a certificate.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-459 · CAPEC-475
CVEs mapped to this weakness (720)
page 20 of 36| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-2110 | Med | 0.38 | 5.9 | 0.01 | Apr 28, 2017 | The Access CX App for Android prior to 2.0.0.1 and for iOS prior to 2.0.2 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | ||
| CVE-2016-1519 | Med | 0.38 | 5.9 | 0.01 | Apr 21, 2017 | The com.softphone.common package in the Grandstream Wave app 1.0.1.26 and earlier for Android does not properly validate SSL certificates, which allows man-in-the-middle attackers to spoof the Grandstream provisioning server via a crafted certificate. | ||
| CVE-2016-1221 | Med | 0.38 | 5.9 | 0.01 | Apr 21, 2017 | Jetstar App for iOS before 3.0.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | ||
| CVE-2016-1210 | Med | 0.38 | 5.9 | 0.01 | Apr 21, 2017 | The 105 BANK app 1.0 and 1.1 for Android and 1.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | ||
| CVE-2016-1198 | Med | 0.38 | 5.9 | 0.01 | Apr 21, 2017 | Photopt for Android before 2.0.1 does not verify SSL certificates. | ||
| CVE-2016-1186 | Med | 0.38 | 5.9 | 0.01 | Apr 21, 2017 | Kintone mobile for Android 1.0.0 through 1.0.5 does not verify SSL server certificates. | ||
| CVE-2016-4840 | Med | 0.38 | 5.9 | 0.01 | Apr 21, 2017 | Coordinate Plus App for Android 1.0.2 and earlier and Coordinate Plus App for iOS 1.0.2 and earlier do not verify SSL certificates. | ||
| CVE-2016-4832 | Med | 0.38 | 5.9 | 0.01 | Apr 21, 2017 | WAON "Service Application" for Android 1.4.1 and earlier does not verify SSL certificates. | ||
| CVE-2016-4830 | Med | 0.38 | 5.9 | 0.01 | Apr 21, 2017 | Sushiro App for iOS 2.1.16 and earlier and Sushiro App for Android 2.1.16.1 and earlier do not verify SSL certificates. | ||
| CVE-2016-4829 | Med | 0.38 | 5.9 | 0.01 | Apr 21, 2017 | DMM Movie Player App for Android before 1.2.1, and DMM Movie Player App for iPhone/iPad before 2.1.3 does not verify SSL certificates. | ||
| CVE-2016-1184 | Med | 0.38 | 5.9 | 0.01 | Apr 21, 2017 | Tokyo Star bank App for Android before 1.4 and Tokyo Star bank App for iOS before 1.4 do not validate SSL certificates. | ||
| CVE-2016-4818 | Med | 0.38 | 5.9 | 0.01 | Apr 20, 2017 | DMMFX Trade for Android 1.5.0 and earlier, DMMFX DEMO Trade for Android 1.5.0 and earlier, and GAITAMEJAPAN FX Trade for Android 1.4.0 and earlier do not verify SSL certificates. | ||
| CVE-2016-9319 | Med | 0.38 | 5.9 | 0.01 | Mar 31, 2017 | There is Missing SSL Certificate Validation in the Trend Micro Enterprise Mobile Security Android Application before 9.7.1193, aka VRTS-398. | ||
| CVE-2016-9892 | Med | 0.38 | 5.9 | 0.02 | Mar 2, 2017 | The esets_daemon service in ESET Endpoint Antivirus for macOS before 6.4.168.0 and Endpoint Security for macOS before 6.4.168.0 does not properly verify X.509 certificates from the edf.eset.com SSL server, which allows man-in-the-middle attackers to spoof this server and provide… | ||
| CVE-2012-5821 | Med | 0.38 | 5.9 | 0.01 | Nov 4, 2012 | Lynx does not verify that the server's certificate is signed by a trusted certification authority, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate, related to improper use of a certain GnuTLS function. | ||
| CVE-2012-5810 | Med | 0.38 | 5.9 | 0.00 | Nov 4, 2012 | The Chase mobile banking application for Android does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary… | ||
| CVE-2011-0199 | Med | 0.38 | 5.9 | 0.01 | Jun 24, 2011 | The Certificate Trust Policy component in Apple Mac OS X before 10.6.8 does not perform CRL checking for Extended Validation (EV) certificates that lack OCSP URLs, which might allow man-in-the-middle attackers to spoof an SSL server via a revoked certificate. | ||
| CVE-2026-22613 | Med | 0.37 | 5.7 | 0.00 | Feb 9, 2026 | The server identity check mechanism for firmware upgrade performed via command shell is insecurely implemented potentially allowing an attacker to perform a Man-in-the-middle attack. This security issue has been fixed in the latest firmware version of Eaton Network M3 which… | ||
| CVE-2025-48393 | Med | 0.37 | 5.7 | 0.00 | Aug 6, 2025 | The server identity check mechanism for firmware upgrade performed via command shell is insecurely implemented potentially allowing an attacker to perform a Man-in-the-middle attack. This security issue has been fixed in the latest firmware version of Eaton G4 PDU which is… | ||
| CVE-2025-1001 | Med | 0.37 | 5.7 | 0.00 | Feb 21, 2025 | Medixant RadiAnt DICOM Viewer is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response… |
- risk 0.38cvss 5.9epss 0.01
The Access CX App for Android prior to 2.0.0.1 and for iOS prior to 2.0.2 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
- risk 0.38cvss 5.9epss 0.01
The com.softphone.common package in the Grandstream Wave app 1.0.1.26 and earlier for Android does not properly validate SSL certificates, which allows man-in-the-middle attackers to spoof the Grandstream provisioning server via a crafted certificate.
- risk 0.38cvss 5.9epss 0.01
Jetstar App for iOS before 3.0.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
- risk 0.38cvss 5.9epss 0.01
The 105 BANK app 1.0 and 1.1 for Android and 1.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
- risk 0.38cvss 5.9epss 0.01
Photopt for Android before 2.0.1 does not verify SSL certificates.
- risk 0.38cvss 5.9epss 0.01
Kintone mobile for Android 1.0.0 through 1.0.5 does not verify SSL server certificates.
- risk 0.38cvss 5.9epss 0.01
Coordinate Plus App for Android 1.0.2 and earlier and Coordinate Plus App for iOS 1.0.2 and earlier do not verify SSL certificates.
- risk 0.38cvss 5.9epss 0.01
WAON "Service Application" for Android 1.4.1 and earlier does not verify SSL certificates.
- risk 0.38cvss 5.9epss 0.01
Sushiro App for iOS 2.1.16 and earlier and Sushiro App for Android 2.1.16.1 and earlier do not verify SSL certificates.
- risk 0.38cvss 5.9epss 0.01
DMM Movie Player App for Android before 1.2.1, and DMM Movie Player App for iPhone/iPad before 2.1.3 does not verify SSL certificates.
- risk 0.38cvss 5.9epss 0.01
Tokyo Star bank App for Android before 1.4 and Tokyo Star bank App for iOS before 1.4 do not validate SSL certificates.
- risk 0.38cvss 5.9epss 0.01
DMMFX Trade for Android 1.5.0 and earlier, DMMFX DEMO Trade for Android 1.5.0 and earlier, and GAITAMEJAPAN FX Trade for Android 1.4.0 and earlier do not verify SSL certificates.
- risk 0.38cvss 5.9epss 0.01
There is Missing SSL Certificate Validation in the Trend Micro Enterprise Mobile Security Android Application before 9.7.1193, aka VRTS-398.
- risk 0.38cvss 5.9epss 0.02
The esets_daemon service in ESET Endpoint Antivirus for macOS before 6.4.168.0 and Endpoint Security for macOS before 6.4.168.0 does not properly verify X.509 certificates from the edf.eset.com SSL server, which allows man-in-the-middle attackers to spoof this server and provide…
- risk 0.38cvss 5.9epss 0.01
Lynx does not verify that the server's certificate is signed by a trusted certification authority, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate, related to improper use of a certain GnuTLS function.
- risk 0.38cvss 5.9epss 0.00
The Chase mobile banking application for Android does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary…
- risk 0.38cvss 5.9epss 0.01
The Certificate Trust Policy component in Apple Mac OS X before 10.6.8 does not perform CRL checking for Extended Validation (EV) certificates that lack OCSP URLs, which might allow man-in-the-middle attackers to spoof an SSL server via a revoked certificate.
- risk 0.37cvss 5.7epss 0.00
The server identity check mechanism for firmware upgrade performed via command shell is insecurely implemented potentially allowing an attacker to perform a Man-in-the-middle attack. This security issue has been fixed in the latest firmware version of Eaton Network M3 which…
- risk 0.37cvss 5.7epss 0.00
The server identity check mechanism for firmware upgrade performed via command shell is insecurely implemented potentially allowing an attacker to perform a Man-in-the-middle attack. This security issue has been fixed in the latest firmware version of Eaton G4 PDU which is…
- risk 0.37cvss 5.7epss 0.00
Medixant RadiAnt DICOM Viewer is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response…