Filtered by CWE-326
Total 396 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2010-3670 1 Typo3 1 Typo3 2024-11-21 4.8 Medium
TYPO3 before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness during generation of a hash with the "forgot password" function.
CVE-2009-2474 5 Apple, Canonical, Fedoraproject and 2 more 5 Mac Os X, Ubuntu Linux, Fedora and 2 more 2024-11-21 N/A
neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVE-2005-4900 1 Google 1 Chrome 2024-11-21 N/A
SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2. NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation.
CVE-2023-6728 2024-11-05 3.3 Low
Nokia SR OS bof.cfg file encryption is vulnerable to a brute force attack. This weakness allows an attacker in possession of the encrypted file to decrypt the bof.cfg file and obtain the BOF configuration content.
CVE-2024-43382 1 Snowflake 1 Snowflake Jdbc 2024-11-01 5.9 Medium
Snowflake JDBC driver versions >= 3.2.6 and <= 3.19.1 have an Incorrect Security Setting that can result in data being uploaded to an encrypted stage without the additional layer of protection provided by client side encryption.
CVE-2024-45259 1 Gl-inet 20 Gl-a1300 Firmware, Gl-ar300m16 Firmware, Gl-ar300m Firmware and 17 more 2024-10-28 6.5 Medium
An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. By intercepting an HTTP request and changing the filename property in the download interface, any file on the device can be deleted.
CVE-2024-45394 2 Authenticator, Authenticator-extension 2 Authenticator, Authenticator 2024-10-09 8.8 High
Authenticator is a browser extension that generates two-step verification codes. In versions 7.0.0 and below, encryption keys for user data were stored encrypted at-rest using only AES-256 and the EVP_BytesToKey KDF. Therefore, attackers with a copy of a user's data are able to brute-force the user's encryption key. Users on version 8.0.0 and above are automatically migrated away from the weak encoding on first login. Users should destroy encrypted backups made with versions prior to 8.0.0.
CVE-2024-47182 1 Amirraminfar 1 Dozzle 2024-10-04 4.8 Medium
Dozzle is a realtime log viewer for docker containers. Before version 8.5.3, the app uses sha-256 as the hash for passwords, which leaves users susceptible to rainbow table attacks. The app switches to bcrypt, a more appropriate hash for passwords, in version 8.5.3.
CVE-2024-8455 2 Planet, Planet Technology Corp 9 Gs-4210-24p2s, Gs-4210-24p2s Firmware, Gs-4210-24pl4c and 6 more 2024-10-04 8.1 High
The swctrl service is used to detect and remotely manage PLANET Technology devices. For certain switch models, the authentication tokens used during communication with this service are encoded user passwords. Due to insufficient strength, unauthorized remote attackers who intercept the packets can directly crack them to obtain plaintext passwords.
CVE-2021-38121 1 Microfocus 1 Netiq Advanced Authentication 2024-09-13 8.3 High
Insufficient or weak TLS protocol version identified in Advance authentication client server communication when specific service is accessed between devices.  This issue affects NetIQ Advance Authentication versions before 6.3.5.1
CVE-2024-42163 1 Fiware 1 Keyrock 2024-08-29 8.3 High
Insufficiently random values for generating password reset token in FIWARE Keyrock <= 8.4 allow attackers to take over the account of any user by predicting the token for the password reset link.
CVE-2024-41681 1 Siemens 1 Location Intelligence 2024-08-14 6.7 Medium
A vulnerability has been identified in Location Intelligence family (All versions < V4.4). The web server of affected products is configured to support weak ciphers by default. This could allow an unauthenticated attacker in an on-path position to to read and modify any data passed over the connection between legitimate clients and the affected device.
CVE-2024-21787 1 Bmra Software 1 Bmra Software 2024-08-14 6.4 Medium
Inadequate encryption strength for some BMRA software before version 22.08 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-5800 2024-08-12 N/A
Diffie-Hellman groups with insufficient strength are used in the SSL/TLS stack of B&R Automation Runtime versions before 6.0.2, allowing a network attacker to decrypt the SSL/TLS communication.
CVE-2024-32758 1 Johnsoncontrols 2 Exacqvision Client, Exacqvision Server 2024-08-09 7.5 High
Under certain circumstances the communication between exacqVision Client and exacqVision Server will use insufficient key length and exchange
CVE-2024-40719 1 Changingtec 1 Tcb Servisign 2024-08-09 6.5 Medium
The encryption strength of the authorization keys in CHANGING Information Technology TCBServiSign Windows Version is insufficient. When a remote attacker tricks a victim into visiting a malicious website, TCBServiSign will treat that website as a legitimate server and interact with it.