Total
1411 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-26463 | 1 Strongswan | 1 Strongswan | 2026-06-17 | N/A | 9.8 CRITICAL |
| strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access control, later followed by an expired pointer dereference. One attack vector is sending an untrusted client certificate during EAP-TLS. A server is affected only if it loads plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC). This is fixed in 5.9.10. | |||||
| CVE-2023-25392 | 1 Allegro | 1 Bigflow | 2026-06-17 | N/A | 5.9 MEDIUM |
| Allegro Tech BigFlow <1.6 is vulnerable to Missing SSL Certificate Validation. | |||||
| CVE-2023-24461 | 3 Apple, F5, Microsoft | 3 Macos, Big-ip Access Policy Manager, Windows | 2026-06-17 | N/A | 7.4 HIGH |
| An improper certificate validation vulnerability exists in the BIG-IP Edge Client for Windows and macOS and may allow an attacker to impersonate a BIG-IP APM system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2023-23901 | 1 Seiko-sol | 4 Skybridge Basic Mb-a130, Skybridge Basic Mb-a130 Firmware, Skybridge Mb-a200 and 1 more | 2026-06-17 | N/A | 6.5 MEDIUM |
| Improper following of a certificate's chain of trust exists in SkyBridge MB-A200 firmware Ver. 01.00.05 and earlier, and SkyBridge BASIC MB-A130 firmware Ver. 1.4.1 and earlier, which may allow a remote unauthenticated attacker to eavesdrop on or alter the communication sent to the WebUI of the product. | |||||
| CVE-2023-23690 | 1 Dell | 1 Cloud Mobility For Dell Emc Storage | 2026-06-17 | N/A | 7.0 HIGH |
| Cloud Mobility for Dell EMC Storage, versions 1.3.0.X and below contains an Improper Check for Certificate Revocation vulnerability. A threat actor does not need any specific privileges to potentially exploit this vulnerability. An attacker could perform a man-in-the-middle attack and eavesdrop on encrypted communications from Cloud Mobility to Cloud Storage devices. Exploitation could lead to the compromise of secret and sensitive information, cloud storage connection downtime, and the integrity of the connection to the Cloud devices. | |||||
| CVE-2023-23588 | 2 Microchip, Siemens | 10 Maxview Storage Manager, Simatic Ipc1047, Simatic Ipc1047 Firmware and 7 more | 2026-06-17 | N/A | 6.2 MEDIUM |
| A vulnerability has been identified in SIMATIC IPC1047 (All versions), SIMATIC IPC1047E (All versions with maxView Storage Manager < 4.09.00.25611 on Windows), SIMATIC IPC647D (All versions), SIMATIC IPC647E (All versions with maxView Storage Manager < 4.09.00.25611 on Windows), SIMATIC IPC847D (All versions), SIMATIC IPC847E (All versions with maxView Storage Manager < 4.09.00.25611 on Windows). The Adaptec Maxview application on affected devices is using a non-unique TLS certificate across installations to protect the communication from the local browser to the local application. A local attacker may use this key to decrypt intercepted local traffic between the browser and the application and could perform a man-in-the-middle attack in order to modify data in transit. | |||||
| CVE-2023-23546 | 1 Milesight | 2 Ur32l, Ur32l Firmware | 2026-06-17 | N/A | 4.2 MEDIUM |
| A misconfiguration vulnerability exists in the urvpn_client functionality of Milesight UR32L v32.3.0.5. A specially-crafted man-in-the-middle attack can lead to increased privileges. An attacker can perform a man-in-the-middle attack to trigger this vulnerability. | |||||
| CVE-2023-23131 | 1 Selfwealth | 1 Selfwealth | 2026-06-17 | N/A | 7.5 HIGH |
| Selfwealth iOS mobile App 3.3.1 is vulnerable to Insecure App Transport Security (ATS) Settings. | |||||
| CVE-2023-22943 | 1 Splunk | 2 Add-on Builder, Cloudconnect Software Development Kit | 2026-06-17 | N/A | 4.8 MEDIUM |
| In Splunk Add-on Builder (AoB) versions below 4.1.2 and the Splunk CloudConnect SDK versions below 3.1.3, requests to third-party APIs through the REST API Modular Input incorrectly revert to using HTTP to connect after a failure to connect over HTTPS occurs. | |||||
| CVE-2023-22642 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2026-06-17 | N/A | 7.5 HIGH |
| An improper certificate validation vulnerability [CWE-295] in FortiAnalyzer and FortiManager 7.2.0 through 7.2.1, 7.0.0 through 7.0.5, 6.4.8 through 6.4.10 may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the device and the remote FortiGuard server hosting outbreakalert ressources. | |||||
| CVE-2023-22367 | 1 Ichiranusa | 1 Ichiran | 2026-06-17 | N/A | 5.9 MEDIUM |
| Ichiran App for iOS versions prior to 3.1.0 and Ichiran App for Android versions prior to 3.1.0 improperly verify server certificates, which may allow a remote unauthenticated attacker to eavesdrop on an encrypted communication via a man-in-the-middle attack. | |||||
| CVE-2023-21358 | 1 Google | 1 Android | 2026-06-17 | N/A | 7.8 HIGH |
| In UWB Google, there is a possible way for a malicious app to masquerade as system app com.android.uwb.resources due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-21265 | 1 Google | 1 Android | 2026-06-17 | N/A | 7.5 HIGH |
| In multiple locations, there are root CA certificates which need to be disabled. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-20963 | 1 Google | 1 Android | 2026-06-17 | N/A | 7.8 HIGH |
| In WorkSource, there is a possible parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-220302519 | |||||
| CVE-2023-20881 | 1 Cloudfoundry | 3 Capi-release, Cf-deployment, Loggregator-agent | 2026-06-17 | N/A | 8.1 HIGH |
| Cloud foundry instances having CAPI version between 1.140 and 1.152.0 along with loggregator-agent v7+ may override other users syslog drain credentials if they're aware of the client certificate used for that syslog drain. This applies even if the drain has zero certs. This would allow the user to override the private key and add or modify a certificate authority used for the connection. | |||||
| CVE-2023-1664 | 1 Redhat | 5 Build Of Quarkus, Jboss A-mq, Keycloak and 2 more | 2026-06-17 | N/A | 6.5 MEDIUM |
| A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use "Revalidate Client Certificate" this flaw is avoidable. | |||||
| CVE-2023-1514 | 1 Hitachienergy | 1 Rtu500 Scripting Interface | 2026-06-17 | N/A | 7.4 HIGH |
| A vulnerability exists in the component RTU500 Scripting interface. When a client connects to a server using TLS, the server presents a certificate. This certificate links a public key to the identity of the service and is signed by a Certification Authority (CA), allowing the client to validate that the remote service can be trusted and is not malicious. If the client does not validate the parameters of the certificate, then attackers could be able to spoof the identity of the service. An attacker could exploit the vulnerability by using faking the identity of a RTU500 device and intercepting the messages initiated via the RTU500 Scripting interface. | |||||
| CVE-2023-1409 | 3 Apple, Microsoft, Mongodb | 3 Macos, Windows, Mongodb | 2026-06-17 | N/A | 5.3 MEDIUM |
| If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate. This issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions. | |||||
| CVE-2023-1055 | 2 Fedoraproject, Redhat | 2 Fedora, Directory Server | 2026-06-17 | N/A | 5.5 MEDIUM |
| A flaw was found in RHDS 11 and RHDS 12. While browsing entries LDAP tries to decode the userPassword attribute instead of the userCertificate attribute which could lead into sensitive information leaked. An attacker with a local account where the cockpit-389-ds is running can list the processes and display the hashed passwords. The highest threat from this vulnerability is to data confidentiality. | |||||
| CVE-2023-0547 | 1 Mozilla | 1 Thunderbird | 2026-06-17 | N/A | 6.5 MEDIUM |
| OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and revoked certificates would be accepted. Thunderbird versions from 68 to 102.9.1 were affected by this bug. This vulnerability affects Thunderbird < 102.10. | |||||
