Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

CVEs (675)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-40178 1Node Saml Project 1Node Saml Nov 21, 2024 Aug 23, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOn...Show more Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logged out from an expired LogoutRequest. In bigger contexts, if LogoutRequests are sent out in mass to different SPs, this could impact many users on a large scale. This issue was patched in version 4.0.5. Show less
CVE-2021-43171 1E.foundation 1App Lounge Nov 21, 2024 Aug 22, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Improper verification of applications' cryptographic signatures in the /e/OS app store client App Lounge before 0.19q allows attackers in control of the application server to install malicious applications on user's syst...Show more Improper verification of applications' cryptographic signatures in the /e/OS app store client App Lounge before 0.19q allows attackers in control of the application server to install malicious applications on user's systems by altering the server's API response.Show less
CVE-2023-39393 1Huawei 2Emui Harmonyos Nov 21, 2024 Aug 13, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Vulnerability of insecure signatures in the ServiceWifiResources module. Successful exploitation of this vulnerability may cause ServiceWifiResources to be maliciously modified and overwritten.
CVE-2023-39392 1Huawei 2Emui Harmonyos Nov 21, 2024 Aug 13, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Vulnerability of insecure signatures in the OsuLogin module. Successful exploitation of this vulnerability may cause OsuLogin to be maliciously modified and overwritten.
CVE-2023-40012 1Trailofbits 1Uthenticode Nov 21, 2024 Aug 9, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Versions of uthenticode prior to the 2.x series did not check Extended Key Usages in certificates, in violation of th...Show more uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Versions of uthenticode prior to the 2.x series did not check Extended Key Usages in certificates, in violation of the Authenticode X.509 certificate profile. As a result, a malicious user could produce a "signed" PE file that uthenticode would verify and consider valid using an X.509 certificate that isn't entitled to produce code signatures (e.g., a SSL certificate). By design, uthenticode does not perform full-chain validation. However, the absence of EKU validation was an unintended oversight. The 2.0.0 release series includes EKU checks. There are no workarounds to this vulnerability.Show less
CVE-2023-39969 1Trailofbits 1Uthenticode Nov 21, 2024 Aug 9, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Version 1.0.9 of uthenticode hashed the entire file rather than hashing sections by virtual address, in violation of...Show more uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Version 1.0.9 of uthenticode hashed the entire file rather than hashing sections by virtual address, in violation of the Authenticode specification. As a result, an attacker could modify code within a binary without changing its Authenticode hash, making it appear valid from uthenticode's perspective. Versions of uthenticode prior to 1.0.9 are not vulnerable to this attack, nor are versions in the 2.x series. By design, uthenticode does not perform full-chain validation. However, the malleability of signature verification introduced in 1.0.9 was an unintended oversight. The 2.x series addresses the vulnerability. Versions prior to 1.0.9 are also not vulnerable, but users are encouraged to upgrade rather than downgrade. There are no workarounds to this vulnerability.Show less
CVE-2023-39211 1Zoom 2Rooms Zoom Nov 21, 2024 Aug 8, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper privilege management in Zoom Desktop Client for Windows and Zoom Rooms for Windows before 5.15.5 may allow an authenticated user to enable an information disclosure via local access.
CVE-2023-38418 1F5 2Access Policy Manager Clients Big Ip Access Policy Manager Nov 21, 2024 Aug 2, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 The BIG-IP Edge Client Installer on macOS does not follow best practices for elevating privileges during the installation process. Note: Software versions which have reached End of Technical Support (EoTS) are not eval...Show more The BIG-IP Edge Client Installer on macOS does not follow best practices for elevating privileges during the installation process. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.Show less
CVE-2023-3347 3Fedoraproject RedhatSamba 4Enterprise Linux FedoraSamba+1 more Dec 6, 2024 Jul 20, 2023 N/A· v4 5.9 MEDIUM· v3 N/A· v2 A vulnerability was found in Samba's SMB2 packet signing mechanism. The SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 pack...Show more A vulnerability was found in Samba's SMB2 packet signing mechanism. The SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. This flaw allows an attacker to perform attacks, such as a man-in-the-middle attack, by intercepting the network traffic and modifying the SMB2 messages between client and server, affecting the integrity of the data.Show less
CVE-2023-33768 1Belkin 1Wemo Smart Plug Wsp080 Firmware Nov 21, 2024 Jul 13, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Incorrect signature verification of the firmware during the Device Firmware Update process of Belkin Wemo Smart Plug WSP080 v1.2 allows attackers to cause a Denial of Service (DoS) via a crafted firmware file.
CVE-2023-35373 1Microsoft 1Mono Nov 21, 2024 Jul 11, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Mono Authenticode Validation Spoofing Vulnerability
CVE-2023-32449 1Dell 1Powerstoret Os Nov 21, 2024 Jun 22, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Dell PowerStore versions prior to 3.5 contain an improper verification of cryptographic signature vulnerability. An attacker can trick a high privileged user to install a malicious binary by bypassing the existing crypt...Show more Dell PowerStore versions prior to 3.5 contain an improper verification of cryptographic signature vulnerability. An attacker can trick a high privileged user to install a malicious binary by bypassing the existing cryptographic signature checks Show less
CVE-2023-34120 1Zoom 1Virtual Desktop Infrastructure Nov 21, 2024 Jun 13, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper privilege management in Zoom for Windows, Zoom Rooms for Windows, and Zoom VDI for Windows clients before 5.14.0 may allow an authenticated user to potentially enable an escalation of privilege via local access...Show more Improper privilege management in Zoom for Windows, Zoom Rooms for Windows, and Zoom VDI for Windows clients before 5.14.0 may allow an authenticated user to potentially enable an escalation of privilege via local access. Users may potentially utilize higher level system privileges maintained by the Zoom client to spawn processes with escalated privileges.Show less
CVE-2023-28602 1Zoom 1Zoom Nov 21, 2024 Jun 13, 2023 N/A· v4 7.7 HIGH· v3 N/A· v2 Zoom for Windows clients prior to 5.13.5 contain an improper verification of cryptographic signature vulnerability. A malicious user may potentially downgrade Zoom Client components to previous versions.
CVE-2023-33959 1Notaryproject 1Notation Go Nov 21, 2024 Jun 6, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6...Show more notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.Show less
CVE-2023-34205 1Moov 1Signedxml Jan 10, 2025 May 30, 2023 N/A· v4 9.1 CRITICAL· v3 N/A· v2 In Moov signedxml through 1.0.0, parsing the raw XML (as received) can result in different output than parsing the canonicalized XML. Thus, signature validation can be bypassed via a Signature Wrapping attack (aka XSW).
CVE-2023-33185 1Django Ses Project 1Django Ses Nov 21, 2024 May 26, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed...Show more Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests are signed by AWS and are verified by django_ses, however the verification of this signature was found to be flawed as it allowed users to specify arbitrary public certificates. This issue was patched in version 3.5.0.Show less
CVE-2022-4418 1Acronis 1Cyber Protect Home Office Nov 21, 2024 May 18, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Local privilege escalation due to unrestricted loading of unsigned libraries. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40208.
CVE-2023-25934 1Dell 1Elastic Cloud Storage Jan 29, 2025 May 4, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 DELL ECS prior to 3.8.0.2 contains an improper verification of cryptographic signature vulnerability. A network attacker with an ability to intercept the request could potentially exploit this vulnerability to modify th...Show more DELL ECS prior to 3.8.0.2 contains an improper verification of cryptographic signature vulnerability. A network attacker with an ability to intercept the request could potentially exploit this vulnerability to modify the body data of the request. Show less
CVE-2023-1204 1Gitlab 1Gitlab Jan 30, 2025 May 3, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.1 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A user could use an u...Show more An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.1 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A user could use an unverified email as a public email and commit email by sending a specifically crafted request on user update settings.Show less

Previous 1...161718...34 Next