CWE-924
AllowedImproper Enforcement of Message Integrity During Transmission in a Communication Channel
Abstraction: Base · Status: Incomplete
The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission.
50 vulnerabilities reference this CWE, most recent first.
GHSA-3VPG-MWGF-4JVJ
Vulnerability from github – Published: 2022-03-04 00:00 – Updated: 2022-03-17 00:04A flaw was found in nbdkit due to to improperly caching plaintext state across the STARTTLS encryption boundary. A MitM attacker could use this flaw to inject a plaintext NBD_OPT_STRUCTURED_REPLY before proxying everything else a client sends to the server, potentially leading the client to terminate the NBD session. The highest threat from this vulnerability is to system availability.
{
"affected": [],
"aliases": [
"CVE-2021-3716"
],
"database_specific": {
"cwe_ids": [
"CWE-924"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-02T23:15:00Z",
"severity": "LOW"
},
"details": "A flaw was found in nbdkit due to to improperly caching plaintext state across the STARTTLS encryption boundary. A MitM attacker could use this flaw to inject a plaintext NBD_OPT_STRUCTURED_REPLY before proxying everything else a client sends to the server, potentially leading the client to terminate the NBD session. The highest threat from this vulnerability is to system availability.",
"id": "GHSA-3vpg-mwgf-4jvj",
"modified": "2022-03-17T00:04:00Z",
"published": "2022-03-04T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3716"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1994695"
},
{
"type": "WEB",
"url": "https://gitlab.com/nbdkit/nbdkit/-/commit/09a13dafb7bb3a38ab52eb5501cba786365ba7fd"
},
{
"type": "WEB",
"url": "https://gitlab.com/nbdkit/nbdkit/-/commit/6c5faac6a37077cf2366388a80862bb00616d0d8"
},
{
"type": "WEB",
"url": "https://listman.redhat.com/archives/libguestfs/2021-August/msg00083.html"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2021/08/18/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-42JH-6QQC-G99M
Vulnerability from github – Published: 2024-08-06 18:30 – Updated: 2024-08-12 21:31An issue in GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, XE3000/X3000 v4, and B2200/MV1000/MV1000W/USB150/N300/SF1200 v3.216 allows attackers to intercept communications via a man-in-the-middle attack when DDNS clients are reporting data to the server.
{
"affected": [],
"aliases": [
"CVE-2024-39229"
],
"database_specific": {
"cwe_ids": [
"CWE-924"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-06T17:15:54Z",
"severity": "MODERATE"
},
"details": "An issue in GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, XE3000/X3000 v4, and B2200/MV1000/MV1000W/USB150/N300/SF1200 v3.216 allows attackers to intercept communications via a man-in-the-middle attack when DDNS clients are reporting data to the server.",
"id": "GHSA-42jh-6qqc-g99m",
"modified": "2024-08-12T21:31:32Z",
"published": "2024-08-06T18:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39229"
},
{
"type": "WEB",
"url": "https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/DDNS%20data%20is%20not%20encrypted.md"
},
{
"type": "WEB",
"url": "http://ar750ar750sar300mar300m16mt300n-v2b1300mt1300sft1200x750.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4QWG-3CM6-6646
Vulnerability from github – Published: 2023-10-31 12:30 – Updated: 2023-11-08 18:30LINE@ for Android version 1.0.0 and LINE@ for iOS version 1.0.0 are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.
{
"affected": [],
"aliases": [
"CVE-2015-2968"
],
"database_specific": {
"cwe_ids": [
"CWE-924"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-31T10:15:08Z",
"severity": "MODERATE"
},
"details": "LINE@ for Android version 1.0.0 and LINE@ for iOS version 1.0.0 are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.",
"id": "GHSA-4qwg-3cm6-6646",
"modified": "2023-11-08T18:30:30Z",
"published": "2023-10-31T12:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2968"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN22546110"
},
{
"type": "WEB",
"url": "http://official-blog.line.me/ja/archives/36495925.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-55JC-FJ8G-2W6J
Vulnerability from github – Published: 2026-07-01 09:30 – Updated: 2026-07-01 09:30DVP80ES3 with Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability.
{
"affected": [],
"aliases": [
"CVE-2026-12576"
],
"database_specific": {
"cwe_ids": [
"CWE-924"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-01T08:16:21Z",
"severity": "HIGH"
},
"details": "DVP80ES3 with Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability.",
"id": "GHSA-55jc-fj8g-2w6j",
"modified": "2026-07-01T09:30:25Z",
"published": "2026-07-01T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12576"
},
{
"type": "WEB",
"url": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00009_DVP80ES3%20Multiple%20Vulnerabilities_v1%20(CVE-2026-12575,%2012576,%2012577).pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5CRJ-P3WQ-23W2
Vulnerability from github – Published: 2022-02-25 00:01 – Updated: 2022-03-05 00:00Simulation models for KUKA.Sim Pro version 3.1 are hosted by a server maintained by KUKA. When these devices request a model, the server transmits the model in plaintext.
{
"affected": [],
"aliases": [
"CVE-2020-10635"
],
"database_specific": {
"cwe_ids": [
"CWE-924"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-24T19:15:00Z",
"severity": "MODERATE"
},
"details": "Simulation models for KUKA.Sim Pro version 3.1 are hosted by a server maintained by KUKA. When these devices request a model, the server transmits the model in plaintext.",
"id": "GHSA-5crj-p3wq-23w2",
"modified": "2022-03-05T00:00:58Z",
"published": "2022-02-25T00:01:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10635"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-098-05"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5Q3J-G5R8-6RFG
Vulnerability from github – Published: 2025-01-17 12:30 – Updated: 2025-01-17 12:30CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability exists that could cause partial loss of confidentiality, loss of integrity and availability of the HMI when attacker performs man in the middle attack by intercepting the communication.
{
"affected": [],
"aliases": [
"CVE-2024-12399"
],
"database_specific": {
"cwe_ids": [
"CWE-924"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-17T10:15:06Z",
"severity": "MODERATE"
},
"details": "CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability\nexists that could cause partial loss of confidentiality, loss of integrity and availability of the HMI when attacker performs\nman in the middle attack by intercepting the communication.",
"id": "GHSA-5q3j-g5r8-6rfg",
"modified": "2025-01-17T12:30:40Z",
"published": "2025-01-17T12:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12399"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-014-02.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-788J-V5XM-H2MQ
Vulnerability from github – Published: 2023-05-25 09:30 – Updated: 2024-04-04 04:20Channel Accessible by Non-Endpoint vulnerability in CBOT Chatbot allows Adversary in the Middle (AiTM).This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7.
{
"affected": [],
"aliases": [
"CVE-2023-2885"
],
"database_specific": {
"cwe_ids": [
"CWE-300",
"CWE-924"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-25T09:15:12Z",
"severity": "HIGH"
},
"details": "Channel Accessible by Non-Endpoint vulnerability in CBOT Chatbot allows Adversary in the Middle (AiTM).This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7.\n\n",
"id": "GHSA-788j-v5xm-h2mq",
"modified": "2024-04-04T04:20:20Z",
"published": "2023-05-25T09:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2885"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-23-0293"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-7GF3-3V44-PWM2
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-04-04 02:12An issue was discovered in the RENPHO application 3.0.0 for iOS. It transmits JSON data unencrypted to a server without an integrity check, if a user changes personal data in his profile tab (e.g., exposure of his birthday) or logs into his account (i.e., exposure of credentials).
{
"affected": [],
"aliases": [
"CVE-2019-14808"
],
"database_specific": {
"cwe_ids": [
"CWE-319",
"CWE-924"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-09T16:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in the RENPHO application 3.0.0 for iOS. It transmits JSON data unencrypted to a server without an integrity check, if a user changes personal data in his profile tab (e.g., exposure of his birthday) or logs into his account (i.e., exposure of credentials).",
"id": "GHSA-7gf3-3v44-pwm2",
"modified": "2024-04-04T02:12:28Z",
"published": "2022-05-24T16:58:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14808"
},
{
"type": "WEB",
"url": "https://apps.apple.com/us/app/renpho/id1219889310"
},
{
"type": "WEB",
"url": "https://renpho.com/pages/contact-us"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/154772/RENPHO-3.0.0-Information-Disclosure.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-82XM-JWXQ-4436
Vulnerability from github – Published: 2025-07-25 18:30 – Updated: 2026-02-25 18:31An issue in Gardyn 4 allows a remote attacker to obtain sensitive information and execute arbitrary code via a request
{
"affected": [],
"aliases": [
"CVE-2025-29628"
],
"database_specific": {
"cwe_ids": [
"CWE-77",
"CWE-924"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-25T17:15:31Z",
"severity": "HIGH"
},
"details": "An issue in Gardyn 4 allows a remote attacker to obtain sensitive information and execute arbitrary code via a request",
"id": "GHSA-82xm-jwxq-4436",
"modified": "2026-02-25T18:31:27Z",
"published": "2025-07-25T18:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29628"
},
{
"type": "WEB",
"url": "https://github.com/mselbrede/gardyn/blob/main/CVE-2025-29628_CVE-2025-29631.md"
},
{
"type": "WEB",
"url": "https://mygardyn.com/blog/security-update"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03"
},
{
"type": "WEB",
"url": "http://gardyn.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9XM2-C28X-G93R
Vulnerability from github – Published: 2023-10-31 12:30 – Updated: 2023-11-08 18:30LINE for Android version 5.0.2 and earlier and LINE for iOS version 5.0.0 and earlier are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.
{
"affected": [],
"aliases": [
"CVE-2015-0897"
],
"database_specific": {
"cwe_ids": [
"CWE-924"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-31T10:15:08Z",
"severity": "MODERATE"
},
"details": "LINE for Android version 5.0.2 and earlier and LINE for iOS version 5.0.0 and earlier are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.",
"id": "GHSA-9xm2-c28x-g93r",
"modified": "2023-11-08T18:30:30Z",
"published": "2023-10-31T12:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0897"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN41281927"
},
{
"type": "WEB",
"url": "http://official-blog.line.me/ja/archives/24809761.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.