Total
551 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-20567 | 2 Amd, Intel | 123 Radeon Pro Vega 56, Radeon Pro Vega 56 Firmware, Radeon Pro Vega 64 and 120 more | 2025-02-13 | N/A | 6.7 MEDIUM |
| Improper signature verification of RadeonTM RX Vega M Graphics driver for Windows may allow an attacker with admin privileges to launch AMDSoftwareInstaller.exe without validating the file signature potentially leading to arbitrary code execution. | |||||
| CVE-2022-23540 | 1 Auth0 | 1 Jsonwebtoken | 2025-02-13 | N/A | 6.4 MEDIUM |
| In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options. | |||||
| CVE-2020-12607 | 1 Antonkueltz | 1 Fastecdsa | 2025-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in fastecdsa before 2.1.2. When using the NIST P-256 curve in the ECDSA implementation, the point at infinity is mishandled. This means that for an extreme value in k and s^-1, the signature verification fails even if the signature is correct. This behavior is not solely a usability problem. There are some threat models where an attacker can benefit by successfully guessing users for whom signature verification will fail. | |||||
| CVE-2024-49413 | 1 Samsung | 1 Android | 2025-02-10 | N/A | 7.1 HIGH |
| Improper Verification of Cryptographic Signature in SmartSwitch prior to SMR Dec-2024 Release 1 allows local attackers to install malicious applications. | |||||
| CVE-2024-22461 | 1 Dell | 1 Recoverpoint For Virtual Machines | 2025-02-04 | N/A | 8.8 HIGH |
| Dell RecoverPoint for Virtual Machines 6.0.x contains an OS Command injection vulnerability. A low privileged remote attacker could potentially exploit this vulnerability by running any command as root, leading to gaining of root-level access and compromise of complete system. | |||||
| CVE-2024-10237 | 2025-02-04 | N/A | 7.2 HIGH | ||
| There is a vulnerability in the BMC firmware image authentication design at Supermicro MBD-X12DPG-OA6 . An attacker can modify the firmware to bypass BMC inspection and bypass the signature verification process | |||||
| CVE-2024-47476 | 1 Dell | 1 Networker Management Console | 2025-02-03 | N/A | 7.8 HIGH |
| Dell NetWorker Management Console, version(s) 19.11, contain(s) an Improper Verification of Cryptographic Signature vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to Code execution. | |||||
| CVE-2023-1204 | 1 Gitlab | 1 Gitlab | 2025-01-30 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.1 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A user could use an unverified email as a public email and commit email by sending a specifically crafted request on user update settings. | |||||
| CVE-2023-25934 | 1 Dell | 1 Elastic Cloud Storage | 2025-01-29 | N/A | 5.9 MEDIUM |
| DELL ECS prior to 3.8.0.2 contains an improper verification of cryptographic signature vulnerability. A network attacker with an ability to intercept the request could potentially exploit this vulnerability to modify the body data of the request. | |||||
| CVE-2025-24800 | 2025-01-28 | N/A | N/A | ||
| Hyperbridge is a hyper-scalable coprocessor for verifiable, cross-chain interoperability. A critical vulnerability was discovered in the ismp-grandpa crate, that allowed a malicious prover easily convince the verifier of the finality of arbitrary headers. This could be used to steal funds or compromise other kinds of cross-chain applications. This vulnerability is fixed in 15.0.1. | |||||
| CVE-2024-7344 | 7 Cs-grp, Greenware, Howyar and 4 more | 7 Neo Impact, Greenguard, Sysreturn and 4 more | 2025-01-22 | N/A | 8.2 HIGH |
| Howyar UEFI Application "Reloader" (32-bit and 64-bit) is vulnerable to execution of unsigned software in a hardcoded path. | |||||
| CVE-2023-34205 | 1 Moov | 1 Signedxml | 2025-01-10 | N/A | 9.1 CRITICAL |
| In Moov signedxml through 1.0.0, parsing the raw XML (as received) can result in different output than parsing the canonicalized XML. Thus, signature validation can be bypassed via a Signature Wrapping attack (aka XSW). | |||||
| CVE-2024-26228 | 1 Microsoft | 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more | 2025-01-08 | N/A | 7.8 HIGH |
| Windows Cryptographic Services Security Feature Bypass Vulnerability | |||||
| CVE-2024-26194 | 1 Microsoft | 11 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 8 more | 2025-01-08 | N/A | 7.4 HIGH |
| Secure Boot Security Feature Bypass Vulnerability | |||||
| CVE-2024-54150 | 2024-12-20 | N/A | 9.1 CRITICAL | ||
| cjwt is a C JSON Web Token (JWT) Implementation. Algorithm confusion occurs when a system improperly verifies the type of signature used, allowing attackers to exploit the lack of distinction between signing methods. If the system doesn't differentiate between an HMAC signed token and an RS/EC/PS signed token during verification, it becomes vulnerable to this kind of attack. For instance, an attacker could craft a token with the alg field set to "HS256" while the server expects an asymmetric algorithm like "RS256". The server might mistakenly use the wrong verification method, such as using a public key as the HMAC secret, leading to unauthorised access. For RSA, the key can be computed from a few signatures. For Elliptic Curve (EC), two potential keys can be recovered from one signature. This can be used to bypass the signature mechanism if an application relies on asymmetrically signed tokens. This issue has been addressed in version 2.3.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-21988 | 1 Netapp | 1 Storagegrid | 2024-12-13 | N/A | 5.3 MEDIUM |
| StorageGRID (formerly StorageGRID Webscale) versions prior to 11.7.0.9 and 11.8.0.5 are susceptible to disclosure of sensitive information via complex MiTM attacks due to a vulnerability in the SSH cryptographic implementation. | |||||
| CVE-2024-8698 | 2024-12-12 | N/A | 7.7 HIGH | ||
| A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks. | |||||
| CVE-2023-3347 | 3 Fedoraproject, Redhat, Samba | 4 Fedora, Enterprise Linux, Storage and 1 more | 2024-12-06 | N/A | 5.9 MEDIUM |
| A vulnerability was found in Samba's SMB2 packet signing mechanism. The SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. This flaw allows an attacker to perform attacks, such as a man-in-the-middle attack, by intercepting the network traffic and modifying the SMB2 messages between client and server, affecting the integrity of the data. | |||||
| CVE-2024-54126 | 2024-12-05 | N/A | N/A | ||
| This vulnerability exists in the TP-Link Archer C50 due to improper signature verification mechanism in the firmware upgrade process at its web interface. An attacker with administrative privileges within the router’s Wi-Fi range could exploit this vulnerability by uploading and executing malicious firmware which could lead to complete compromise of the targeted device. | |||||
| CVE-2018-18689 | 14 Apple, Avanquest, Foxitsoftware and 11 more | 20 Macos, Expert Pdf Ultimate, Pdf Experte Ultimate and 17 more | 2024-11-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, a Signature Wrapping vulnerability exists in multiple products. An attacker can use /ByteRange and xref manipulations that are not detected by the signature-validation logic. This affects Foxit Reader before 9.4 and PhantomPDF before 8.3.9 and 9.x before 9.4. It also affects eXpert PDF 12 Ultimate, Expert PDF Reader, Nitro Pro, Nitro Reader, PDF Architect 6, PDF Editor 6 Pro, PDF Experte 9 Ultimate, PDFelement6 Pro, PDF Studio Viewer 2018, PDF Studio Pro, PDF-XChange Editor and Viewer, Perfect PDF 10 Premium, Perfect PDF Reader, Soda PDF, and Soda PDF Desktop. | |||||