Filtered by CWE-326
Filtered by vendor Subscriptions
Total 390 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-30119 1 Hcl Software 1 Dryice Optibot Reset Station 2024-11-21 3.7 Low
HCL DRYiCE Optibot Reset Station is impacted by a missing Strict Transport Security Header.  This could allow an attacker to intercept or manipulate data during redirection.
CVE-2024-29969 2024-11-21 7.5 High
When a Brocade SANnav installation is upgraded from Brocade SANnav v2.2.2 to Brocade SANnav 2.3.0, TLS/SSL weak message authentication code ciphers are added by default for port 18082.
CVE-2024-29951 2024-11-21 5.7 Medium
Brocade SANnav before v2.3.1 and v2.3.0a uses the SHA-1 hash in internal SSH ports that are not open to remote connection.
CVE-2024-29950 2024-11-21 7.5 High
The class FileTransfer implemented in Brocade SANnav before v2.3.1, v2.3.0a, uses the ssh-rsa signature scheme, which has a SHA-1 hash. The vulnerability could allow a remote, unauthenticated attacker to perform a man-in-the-middle attack.
CVE-2024-28974 2024-11-21 7.6 High
Dell Data Protection Advisor, version(s) 19.9, contain(s) an Inadequate Encryption Strength vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Denial of service.
CVE-2024-28860 1 Cilium 1 Cilium 2024-11-21 8 High
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective. In particular, Cilium is vulnerable to chosen plaintext, key recovery, replay attacks by a man-in-the-middle attacker. These attacks are possible due to an ESP sequence number collision when multiple nodes are configured with the same key. Fixed versions of Cilium use unique keys for each IPsec tunnel established between nodes, resolving all of the above attacks. This vulnerability is fixed in 1.13.13, 1.14.9, and 1.15.3.
CVE-2024-28755 2024-11-21 6.5 Medium
An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL context was reset with the mbedtls_ssl_session_reset() API, the maximum TLS version to be negotiated was not restored to the configured one. An attacker was able to prevent an Mbed TLS server from establishing any TLS 1.3 connection, potentially resulting in a Denial of Service or forced version downgrade from TLS 1.3 to TLS 1.2.
CVE-2024-25102 2024-11-21 7.8 High
This vulnerability exists in AppSamvid software due to the usage of a weaker cryptographic algorithm (hash) SHA1 in user login component. An attacker with local administrative privileges could exploit this to obtain the password of AppSamvid on the targeted system. Successful exploitation of this vulnerability could allow the attacker to take complete control of the application on the targeted system.
CVE-2024-23656 1 Linuxfoundation 1 Dex 2024-11-21 7.5 High
Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.
CVE-2024-23580 2024-11-21 6.5 Medium
HCL DRYiCE Optibot Reset Station is impacted by insecure encryption of One-Time Passwords (OTPs). This could allow an attacker with access to the database to recover some or all encrypted values.
CVE-2024-23579 2024-11-21 6.5 Medium
HCL DRYiCE Optibot Reset Station is impacted by insecure encryption of security questions. This could allow an attacker with access to the database to recover some or all encrypted values.
CVE-2024-22894 2 Alpha-innotec, Novelan 4 Heat Pumps, Heat Pumps Firmware, Heat Pumps and 1 more 2024-11-21 6.8 Medium
An issue fixed in AIT-Deutschland Alpha Innotec Heatpumps V2.88.3 or later, V3.89.0 or later, V4.81.3 or later and Novelan Heatpumps V2.88.3 or later, V3.89.0 or later, V4.81.3 or later, allows remote attackers to execute arbitrary code via the password component in the shadow file.
CVE-2024-20692 1 Microsoft 23 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 20 more 2024-11-21 5.7 Medium
Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability
CVE-2024-1224 2024-11-21 7.1 High
This vulnerability exists in USB Pratirodh due to the usage of a weaker cryptographic algorithm (hash) SHA1 in user login component. A local attacker with administrative privileges could exploit this vulnerability to obtain the password of USB Pratirodh on the targeted system. Successful exploitation of this vulnerability could allow the attacker to take control of the application and modify the access control of registered users or devices on the targeted system.
CVE-2024-0753 3 Debian, Mozilla, Redhat 9 Debian Linux, Firefox, Firefox Esr and 6 more 2024-11-21 6.5 Medium
In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.
CVE-2023-7237 1 Lantronix 2 Xport Edge, Xport Edge Firmware 2024-11-21 5.7 Medium
Lantronix XPort sends weakly encoded credentials within web request headers.
CVE-2023-4333 2 Broadcom, Microsoft 2 Raid Controller Web Interface, Windows 2024-11-21 5.5 Medium
Broadcom RAID Controller web interface doesn’t enforce SSL cipher ordering by server
CVE-2023-4129 1 Dell 1 Data Protection Central 2024-11-21 5.9 Medium
Dell Data Protection Central, version 19.9, contains an Inadequate Encryption Strength Vulnerability. An unauthenticated network attacker could potentially exploit this vulnerability, allowing an attacker to recover plaintext from a block of ciphertext.
CVE-2023-48051 1 Carglglz 1 Upydev 2024-11-21 7.5 High
An issue in /upydev/keygen.py in upydev v0.4.3 allows attackers to decrypt sensitive information via weak encryption padding.
CVE-2023-48034 1 Acer 2 Sk-9662, Sk-9662 Firmware 2024-11-21 6.1 Medium
An issue discovered in Acer Wireless Keyboard SK-9662 allows attacker in physical proximity to both decrypt wireless keystrokes and inject arbitrary keystrokes via use of weak encryption.