CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-326

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-41829 326 2021-09-30 2021-10-05
5.0
None Remote Low Not required Partial None None
Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the application's build number to calculate a certain encryption key.
2 CVE-2021-41061 326 2021-09-15 2021-09-27
2.1
None Local Low Not required Partial None None
In RIOT-OS 2021.01, nonce reuse in 802.15.4 encryption in the ieee820154_security component allows attackers to break encryption by triggering reboots.
3 CVE-2021-39272 326 2021-08-30 2021-09-25
4.3
None Remote Medium Not required Partial None None
Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.
4 CVE-2021-38984 326 2021-11-15 2021-11-16
5.0
None Remote Low Not required Partial None None
IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 212793.
5 CVE-2021-38983 326 2021-11-15 2021-11-16
5.0
None Remote Low Not required Partial None None
IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 212792.
6 CVE-2021-38979 326 2021-11-15 2021-11-16
5.0
None Remote Low Not required Partial None None
IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input. IBM X-Force ID: 212785.
7 CVE-2021-38925 326 2021-10-06 2021-10-14
5.0
None Remote Low Not required Partial None None
IBM Sterling B2B Integrator Standard Edition 5.2.0. 0 through 6.1.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 210171.
8 CVE-2021-38862 326 2021-10-12 2021-10-18
5.0
None Remote Low Not required Partial None None
IBM Data Risk Manager (iDNA) 2.0.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 207980.
9 CVE-2021-38464 326 2021-10-19 2021-10-22
5.8
None Remote Medium Not required Partial Partial None
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 have inadequate encryption strength, which may allow an attacker to intercept the communication and steal sensitive information or hijack the session.
10 CVE-2021-37588 326 2021-07-30 2021-08-09
4.3
None Remote Medium Not required Partial None None
In Charm 0.43, any two users can collude to achieve the ability to decrypt YCT14 data.
11 CVE-2021-37587 326 2021-07-30 2021-08-09
4.0
None Remote Low ??? Partial None None
In Charm 0.43, any single user can decrypt DAC-MACS or MA-ABE-YJ14 data.
12 CVE-2021-37551 326 2021-08-06 2021-08-13
5.0
None Remote Low Not required Partial None None
In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256.
13 CVE-2021-37546 326 2021-08-06 2021-08-12
5.0
None Remote Low Not required Partial None None
In JetBrains TeamCity before 2021.1, an insecure key generation mechanism for encrypted properties was used.
14 CVE-2021-37540 326 2021-08-06 2021-08-12
6.4
None Remote Low Not required Partial Partial None
In JetBrains Hub before 2021.1.13262, a potentially insufficient CSP for the Widget deployment feature was used.
15 CVE-2021-36769 326 2021-07-17 2021-07-29
5.0
None Remote Low Not required None Partial None
A reordering issue exists in Telegram before 7.8.1 for Android, Telegram before 7.8.3 for iOS, and Telegram Desktop before 2.8.8. An attacker can cause the server to receive messages in a different order than they were sent a client.
16 CVE-2021-34430 326 2021-07-08 2021-07-12
5.0
None Remote Low Not required Partial None None
Eclipse TinyDTLS through 0.9-rc1 relies on the rand function in the C library, which makes it easier for remote attackers to compute the master key and then decrypt DTLS traffic.
17 CVE-2021-32496 326 2021-06-28 2021-07-02
3.5
None Remote Medium ??? Partial None None
SICK Visionary-S CX up version 5.21.2.29154R are vulnerable to an Inadequate Encryption Strength vulnerability concerning the internal SSH interface solely used by SICK for recovering returned devices. The use of weak ciphers make it easier for an attacker to break the security that protects information transmitted from the client to the SSH server, assuming the attacker has access to the network on which the device is connected. This can increase the risk that encryption will be compromised, leading to the exposure of sensitive user information and man-in-the-middle attacks.
18 CVE-2021-32066 326 Bypass 2021-08-01 2021-10-18
5.8
None Remote Medium Not required Partial Partial None
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
19 CVE-2021-31898 326 2021-05-11 2021-05-20
5.0
None Remote Low Not required Partial None None
In JetBrains WebStorm before 2021.1, HTTP requests were used instead of HTTPS.
20 CVE-2021-31798 326 2021-09-02 2021-09-10
1.9
None Local Medium Not required Partial None None
The effective key space used to encrypt the cache in CyberArk Credential Provider prior to 12.1 has low entropy, and under certain conditions a local malicious user can obtain the plaintext of cache files.
21 CVE-2021-31796 326 2021-09-02 2021-09-10
5.0
None Remote Low Not required Partial None None
An inadequate encryption vulnerability discovered in CyberArk Credential Provider before 12.1 may lead to Information Disclosure. An attacker may realistically have enough information that the number of possible keys (for a credential file) is only one, and the number is usually not higher than 2^36.
22 CVE-2021-31615 326 2021-06-25 2021-07-01
2.9
None Local Network Medium Not required None None Partial
Unencrypted Bluetooth Low Energy baseband links in Bluetooth Core Specifications 4.0 through 5.2 may permit an adjacent device to inject a crafted packet during the receive window of the listening device before the transmitting device initiates its packet transmission to achieve full MITM status without terminating the link. When applied against devices establishing or using encrypted links, crafted packets may be used to terminate an existing link, but will not compromise the confidentiality or integrity of the link.
23 CVE-2021-29794 326 2021-07-12 2021-07-14
5.0
None Remote Low Not required Partial None None
IBM Tivoli Netcool/Impact 7.1.0.20 and 7.1.0.21 uses an insecure SSH server configuration which enables weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 203556.
24 CVE-2021-29694 326 2021-04-26 2021-04-26
5.0
None Remote Low Not required Partial None None
IBM Spectrum Protect Plus 10.1.0 through 10.1.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 200258.
25 CVE-2021-28213 326 2021-06-11 2021-06-29
5.0
None Remote Low Not required Partial None None
Example EDK2 encrypted private key in the IpSecDxe.efi present potential security risks.
26 CVE-2021-27885 326 2021-03-02 2021-03-18
6.8
None Remote Medium Not required Partial Partial Partial
usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism.
27 CVE-2021-27457 326 2021-05-20 2021-06-01
5.0
None Remote Low Not required Partial None None
A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. The affected products utilize a weak encryption algorithm for storage of sensitive data, which may allow an attacker to more easily obtain credentials used for access.
28 CVE-2021-27450 326 2021-03-25 2021-03-29
4.6
None Local Low Not required Partial Partial Partial
SSH server configuration file does not implement some best practices. This could lead to a weakening of the SSH protocol strength, which could lead to additional misconfiguration or be leveraged as part of a larger attack on the MU320E (all firmware versions prior to v04A00.1).
29 CVE-2021-27200 326 2021-06-11 2021-06-23
7.5
None Remote Low Not required Partial Partial Partial
In WoWonder 3.0.4, remote attackers can take over any account due to the weak cryptographic algorithm in recover.php. The code parameter is easily predicted from the time of day.
30 CVE-2021-25392 326 2021-06-11 2021-06-16
2.1
None Local Low Not required Partial None None
Improper protection of backup path configuration in Samsung Dex prior to SMR MAY-2021 Release 1 allows local attackers to get sensitive information via changing the path.
31 CVE-2021-24020 326 Bypass 2021-07-09 2021-07-12
7.5
None Remote Low Not required Partial Partial Partial
A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to tamper with signed URLs by appending further data which allows bypass of signature verification.
32 CVE-2021-23982 326 2021-03-31 2021-08-06
4.3
None Remote Medium Not required None Partial None
Using techniques that built on the slipstream research, a malicious webpage could have scanned both an internal network's hosts as well as services running on the user's local machine utilizing WebRTC connections. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.
33 CVE-2021-23839 326 2021-02-16 2021-10-20
4.3
None Remote Medium Not required None Partial None
OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).
34 CVE-2021-23126 326 2021-03-04 2021-03-05
5.0
None Remote Low Not required Partial None None
An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of the insecure rand() function within the process of generating the 2FA secret.
35 CVE-2021-21507 326 2021-04-30 2021-05-10
5.0
None Remote Low Not required Partial None None
Dell EMC Networking X-Series firmware versions prior to 3.0.1.8 and Dell EMC PowerEdge VRTX Switch Module firmware versions prior to 2.0.0.82 contain a Weak Password Encryption Vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable system with privileges of the compromised account.
36 CVE-2021-21387 326 2021-03-19 2021-03-25
5.0
None Remote Low Not required Partial None None
Wrongthink peer-to-peer, end-to-end encrypted messenger with PeerJS and Axolotl ratchet. In wrongthink from version 2.0.0 and before 2.3.0 there was a set of vulnerabilities causing inadequate encryption strength. Part of the secret identity key was disclosed by the fingerprint used for connection. Additionally, the safety number was improperly calculated. It was computed using part of one of the public identity keys instead of being derived from both public identity keys. This caused issues in computing safety numbers which would potentially be exploitable in the real world. Additionally there was inadequate encryption strength due to use of 1024-bit DSA keys. These issues are all fixed in version 2.3.0.
37 CVE-2021-20369 326 2021-07-13 2021-07-14
4.3
None Remote Medium Not required Partial None None
IBM Cloud Pak for Applications 4.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 195361.
38 CVE-2021-20360 326 2021-07-13 2021-07-14
5.0
None Remote Low Not required Partial None None
IBM Cloud Pak for Applications 4.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 195031.
39 CVE-2021-20337 326 2021-07-26 2021-08-04
5.0
None Remote Low Not required Partial None None
IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 194448.
40 CVE-2021-3789 326 +Info 2021-11-12 2021-11-16
2.1
None Local Low Not required Partial None None
An information disclosure vulnerability was reported in some Motorola-branded Binatone Hubble Cameras that could allow an attacker with physical access to obtain the encryption key used to decrypt firmware update packages.
41 CVE-2021-3680 326 2021-08-04 2021-08-11
4.0
None Remote Low ??? None Partial None
showdoc is vulnerable to Missing Cryptographic Step
42 CVE-2020-36250 326 Bypass 2021-02-19 2021-07-21
2.1
None Local Low Not required Partial None None
In the ownCloud application before 2.15 for Android, the lock protection mechanism can be bypassed by moving the system date/time into the past.
43 CVE-2020-36201 326 2021-01-26 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered in certain Xerox WorkCentre products. They do not properly encrypt passwords. This affects 3655, 3655i, 58XX, 58XXi 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices.
44 CVE-2020-29658 326 2021-03-05 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Application Control Plus before 100523 has an insecure SSL configuration setting for Nginx, leading to Privilege Escalation.
45 CVE-2020-29063 326 2020-11-24 2021-07-21
5.0
None Remote Low Not required Partial None None
An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. A custom encryption algorithm is used to store encrypted passwords. This algorithm will XOR the password with the hardcoded *j7a(L#yZ98sSd5HfSgGjMj8;Ss;d)(*&^#@$a2s0i3g value.
46 CVE-2020-27998 326 2020-10-29 2021-07-21
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in FastReport before 2020.4.0. It lacks a ScriptSecurity feature and therefore may mishandle (for example) GetType, typeof, TypeOf, DllImport, LoadLibrary, and GetProcAddress.
47 CVE-2020-27408 326 2020-12-04 2021-07-21
5.0
None Remote Low Not required Partial None None
OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauthenticated attacker to change the password of arbitrary users.
48 CVE-2020-27208 326 2021-05-21 2021-05-28
4.6
None Local Low Not required Partial Partial Partial
The flash read-out protection (RDP) level is not enforced during the device initialization phase of the SoloKeys Solo 4.0.0 & Somu and the Nitrokey FIDO2 token. This allows an adversary to downgrade the RDP level and access secrets such as private ECC keys from SRAM via the debug interface.
49 CVE-2020-27184 326 2021-05-14 2021-05-24
4.3
None Remote Medium Not required Partial None None
The NPort IA5000A Series devices use Telnet as one of the network device management services. Telnet does not support the encryption of client-server communications, making it vulnerable to Man-in-the-Middle attacks.
50 CVE-2020-27181 326 2020-10-27 2021-07-21
6.4
None Remote Low Not required Partial Partial None
A hardcoded AES key in CipherUtils.java in the Java applet of konzept-ix publiXone before 2020.015 allows attackers to craft password-reset tokens or decrypt server-side configuration files.
Total number of vulnerabilities : 268   Page : 1 (This Page)2 3 4 5 6
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.