Monthly
SEPPmail Secure Email Gateway before version 15.0.3 allows attackers to forge GINA-encrypted emails, compromising email authenticity and potentially enabling spoofing attacks. The vulnerability affects all versions prior to 15.0.3 and was reported by NCSC.ch. No CVSS score is available, and exploitation status has not been independently confirmed at time of analysis.
A cryptographic vulnerability in the jsrsasign JavaScript library allows attackers to recover DSA private keys through invalid signatures. Versions before 11.1.1 fail to validate and retry when DSA signature parameters r or s become zero during the signing process, enabling mathematical recovery of the private key from the malformed signature. A proof-of-concept exploit is available (https://gist.github.com/Kr0emer/93789fe6efe5519db9692d4ad1dad586), and the CVSS score of 8.7 with Proof-of-concept Exploitation status indicates active research interest.
5G Fixed Wireless Access Platform Firmware versions up to - contains a vulnerability that allows attackers to cryptographic issue when a VoWiFi call is triggered from UE (CVSS 7.2).
Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. [CVSS 4.0 MEDIUM]
Deno versions up to 2.6.0 contains a vulnerability that allows attackers to have infinite encryptions (CVSS 7.5).
Missing cryptographic step in Windows Kerberos allows an unauthorized attacker to elevate privileges over a network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The Bastion provides authentication, authorization, traceability and auditability for SSH accesses. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.
ZF FROST is a Rust implementation of FROST (Flexible Round-Optimised Schnorr Threshold signatures). Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A security vulnerability in MbedTLS 3.3.0 (CVSS 4.9). Remediation should follow standard vulnerability management procedures.
A security vulnerability in RLPx 5 (CVSS 3.4). Remediation should follow standard vulnerability management procedures.
SEPPmail Secure Email Gateway before version 15.0.3 allows attackers to forge GINA-encrypted emails, compromising email authenticity and potentially enabling spoofing attacks. The vulnerability affects all versions prior to 15.0.3 and was reported by NCSC.ch. No CVSS score is available, and exploitation status has not been independently confirmed at time of analysis.
A cryptographic vulnerability in the jsrsasign JavaScript library allows attackers to recover DSA private keys through invalid signatures. Versions before 11.1.1 fail to validate and retry when DSA signature parameters r or s become zero during the signing process, enabling mathematical recovery of the private key from the malformed signature. A proof-of-concept exploit is available (https://gist.github.com/Kr0emer/93789fe6efe5519db9692d4ad1dad586), and the CVSS score of 8.7 with Proof-of-concept Exploitation status indicates active research interest.
5G Fixed Wireless Access Platform Firmware versions up to - contains a vulnerability that allows attackers to cryptographic issue when a VoWiFi call is triggered from UE (CVSS 7.2).
Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. [CVSS 4.0 MEDIUM]
Deno versions up to 2.6.0 contains a vulnerability that allows attackers to have infinite encryptions (CVSS 7.5).
Missing cryptographic step in Windows Kerberos allows an unauthorized attacker to elevate privileges over a network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The Bastion provides authentication, authorization, traceability and auditability for SSH accesses. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.
ZF FROST is a Rust implementation of FROST (Flexible Round-Optimised Schnorr Threshold signatures). Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A security vulnerability in MbedTLS 3.3.0 (CVSS 4.9). Remediation should follow standard vulnerability management procedures.
A security vulnerability in RLPx 5 (CVSS 3.4). Remediation should follow standard vulnerability management procedures.