Total
2450 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-4894 | 1 Calmkart | 1 Django-sso-server | 2025-06-05 | 2.6 LOW | 3.7 LOW |
| A vulnerability classified as problematic was found in calmkart Django-sso-server up to 057247929a94ffc358788a37ab99e391379a4d15. This vulnerability affects the function gen_rsa_keys of the file common/crypto.py. The manipulation leads to inadequate encryption strength. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | |||||
| CVE-2025-5136 | 2025-05-28 | 2.6 LOW | 3.7 LOW | ||
| A vulnerability, which was classified as problematic, was found in Tmall Demo up to 20250505. This affects an unknown part of the file /tmall/order/pay/ of the component Payment Identifier Handler. The manipulation leads to insufficiently random values. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2016-1000352 | 1 Bouncycastle | 1 Bc-java | 2025-05-12 | 5.8 MEDIUM | 7.4 HIGH |
| In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider. | |||||
| CVE-2016-1000343 | 2 Bouncycastle, Debian | 2 Bc-java, Debian Linux | 2025-05-12 | 5.0 MEDIUM | 7.5 HIGH |
| In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator. | |||||
| CVE-2016-1000344 | 1 Bouncycastle | 1 Bc-java | 2025-05-12 | 5.8 MEDIUM | 7.4 HIGH |
| In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider. | |||||
| CVE-2013-1624 | 1 Bouncycastle | 2 Bc-java, Legion-of-the-bouncy-castle-c\#-cryptography-api | 2025-05-12 | 4.0 MEDIUM | N/A |
| The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. | |||||
| CVE-2016-1000339 | 2 Bouncycastle, Debian | 2 Bc-java, Debian Linux | 2025-05-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate. | |||||
| CVE-2011-4667 | 1 Cisco | 2 Ios, Nx-os | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| The encryption library in Cisco IOS Software 15.2(1)T, 15.2(1)T1, and 15.2(2)T, Cisco NX-OS in Cisco MDS 9222i Multiservice Modular Switch, Cisco MDS 9000 18/4-Port Multiservice Module, and Cisco MDS 9000 Storage Services Node module before 5.2(6), and Cisco IOS in Cisco VPN Services Port Adaptor for Catalyst 6500 12.2(33)SXI, and 12.2(33)SXJ when IP Security (aka IPSec) is used, allows remote attackers to obtain unencrypted packets from encrypted sessions. | |||||
| CVE-2016-4457 | 1 Redhat | 1 Cloudforms Management Engine | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| CloudForms Management Engine before 5.8 includes a default SSL/TLS certificate. | |||||
| CVE-2014-2903 | 1 Wolfssl | 1 Wolfssl | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| CyaSSL does not check the key usage extension in leaf certificates, which allows remote attackers to spoof servers via a crafted server certificate not authorized for use in an SSL/TLS handshake. | |||||
| CVE-2014-8684 | 2 Codeigniter, Kohanaframework | 2 Codeigniter, Kohana | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes. | |||||
| CVE-2016-7812 | 1 Mufg | 1 Mitsubishi Ufj | 2025-04-20 | 4.3 MEDIUM | 3.1 LOW |
| The Bank of Tokyo-Mitsubishi UFJ, Ltd. App for Android ver5.3.1, ver5.2.2 and earlier allow a man-in-the-middle attacker to downgrade the communication between the app and the server from TLS v1.2 to SSL v3.0, which may result in the attacker to eavesdrop on an encrypted communication. | |||||
| CVE-2016-7585 | 1 Apple | 1 Mac Os X | 2025-04-20 | 2.1 LOW | 6.8 MEDIUM |
| An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves mishandling of DMA in the "EFI" component. It allows physically proximate attackers to discover the FileVault 2 encryption password via a crafted Thunderbolt adapter. | |||||
| CVE-2015-9003 | 1 Google | 1 Android | 2025-04-20 | 9.3 HIGH | 7.8 HIGH |
| In TrustZone a cryptographic issue can potentially occur in all Android releases from CAF using the Linux kernel. | |||||
| CVE-2015-7256 | 1 Zyxel | 50 C1000z, C1000z Firmware, Fr1000z and 47 more | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| ZyXEL NWA1100-N, NWA1100-NH, NWA1121-NI, NWA1123-AC, and NWA1123-NI access points; P-660HN-51, P-663HN-51, VMG1312-B10A, VMG1312-B30A, VMG1312-B30B, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, VMG8924-B30A, and VSG1435-B101 DSL CPEs; PMG5318-B20A GPONs; SBG3300-N000, SBG3300-NB00, and SBG3500-N000 small business gateways; GS1900-8 and GS1900-24 switches; and C1000Z, Q1000, FR1000Z, and P8702N project models use non-unique X.509 certificates and SSH host keys. | |||||
| CVE-2016-6329 | 1 Openvpn | 1 Openvpn | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| OpenVPN, when using a 64-bit block cipher, makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTP-over-OpenVPN session using Blowfish in CBC mode, aka a "Sweet32" attack. | |||||
| CVE-2014-7808 | 1 Apache | 1 Wicket | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider. | |||||
| CVE-2015-9107 | 1 Zohocorp | 1 Manageengine Opmanager | 2025-04-20 | 5.0 MEDIUM | 9.8 CRITICAL |
| Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn't use a per-system key or even a salt; therefore, it's possible to create a universal decryptor. | |||||
| CVE-2016-10376 | 1 Gajim | 1 Gajim | 2025-04-20 | 3.5 LOW | 4.5 MEDIUM |
| Gajim through 0.16.7 unconditionally implements the "XEP-0146: Remote Controlling Clients" extension. This can be abused by malicious XMPP servers to, for example, extract plaintext from OTR encrypted sessions. | |||||
| CVE-2016-10137 | 1 Adups | 1 Adups Fota | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| An issue was discovered on BLU R1 HD devices with Shanghai Adups software. The content provider named com.adups.fota.sysoper.provider.InfoProvider in the app with a package name of com.adups.fota.sysoper allows any app on the device to read, write, and delete files as the system user. In the com.adups.fota.sysoper app's AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. This allows a third-party app to read, write, and delete the user's sent and received text messages and call log. This allows a third-party app to obtain PII from the user without permission to do so. | |||||