Common Weakness Enumeration

CWE-924

Allowed

Improper Enforcement of Message Integrity During Transmission in a Communication Channel

Abstraction: Base · Status: Incomplete

The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission.

50 vulnerabilities reference this CWE, most recent first.

GHSA-3VPG-MWGF-4JVJ

Vulnerability from github – Published: 2022-03-04 00:00 – Updated: 2022-03-17 00:04
VLAI
Details

A flaw was found in nbdkit due to to improperly caching plaintext state across the STARTTLS encryption boundary. A MitM attacker could use this flaw to inject a plaintext NBD_OPT_STRUCTURED_REPLY before proxying everything else a client sends to the server, potentially leading the client to terminate the NBD session. The highest threat from this vulnerability is to system availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3716"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-924"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-02T23:15:00Z",
    "severity": "LOW"
  },
  "details": "A flaw was found in nbdkit due to to improperly caching plaintext state across the STARTTLS encryption boundary. A MitM attacker could use this flaw to inject a plaintext NBD_OPT_STRUCTURED_REPLY before proxying everything else a client sends to the server, potentially leading the client to terminate the NBD session. The highest threat from this vulnerability is to system availability.",
  "id": "GHSA-3vpg-mwgf-4jvj",
  "modified": "2022-03-17T00:04:00Z",
  "published": "2022-03-04T00:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3716"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1994695"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/nbdkit/nbdkit/-/commit/09a13dafb7bb3a38ab52eb5501cba786365ba7fd"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/nbdkit/nbdkit/-/commit/6c5faac6a37077cf2366388a80862bb00616d0d8"
    },
    {
      "type": "WEB",
      "url": "https://listman.redhat.com/archives/libguestfs/2021-August/msg00083.html"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2021/08/18/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-42JH-6QQC-G99M

Vulnerability from github – Published: 2024-08-06 18:30 – Updated: 2024-08-12 21:31
VLAI
Details

An issue in GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, XE3000/X3000 v4, and B2200/MV1000/MV1000W/USB150/N300/SF1200 v3.216 allows attackers to intercept communications via a man-in-the-middle attack when DDNS clients are reporting data to the server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-924"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-06T17:15:54Z",
    "severity": "MODERATE"
  },
  "details": "An issue in GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, XE3000/X3000 v4, and B2200/MV1000/MV1000W/USB150/N300/SF1200 v3.216 allows attackers to intercept communications via a man-in-the-middle attack when DDNS clients are reporting data to the server.",
  "id": "GHSA-42jh-6qqc-g99m",
  "modified": "2024-08-12T21:31:32Z",
  "published": "2024-08-06T18:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39229"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/DDNS%20data%20is%20not%20encrypted.md"
    },
    {
      "type": "WEB",
      "url": "http://ar750ar750sar300mar300m16mt300n-v2b1300mt1300sft1200x750.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4QWG-3CM6-6646

Vulnerability from github – Published: 2023-10-31 12:30 – Updated: 2023-11-08 18:30
VLAI
Details

LINE@ for Android version 1.0.0 and LINE@ for iOS version 1.0.0 are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-2968"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-924"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-31T10:15:08Z",
    "severity": "MODERATE"
  },
  "details": "LINE@ for Android version 1.0.0 and LINE@ for iOS version 1.0.0 are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.",
  "id": "GHSA-4qwg-3cm6-6646",
  "modified": "2023-11-08T18:30:30Z",
  "published": "2023-10-31T12:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2968"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN22546110"
    },
    {
      "type": "WEB",
      "url": "http://official-blog.line.me/ja/archives/36495925.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-55JC-FJ8G-2W6J

Vulnerability from github – Published: 2026-07-01 09:30 – Updated: 2026-07-01 09:30
VLAI
Details

DVP80ES3 with Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12576"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-924"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-01T08:16:21Z",
    "severity": "HIGH"
  },
  "details": "DVP80ES3 with Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability.",
  "id": "GHSA-55jc-fj8g-2w6j",
  "modified": "2026-07-01T09:30:25Z",
  "published": "2026-07-01T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12576"
    },
    {
      "type": "WEB",
      "url": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00009_DVP80ES3%20Multiple%20Vulnerabilities_v1%20(CVE-2026-12575,%2012576,%2012577).pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5CRJ-P3WQ-23W2

Vulnerability from github – Published: 2022-02-25 00:01 – Updated: 2022-03-05 00:00
VLAI
Details

Simulation models for KUKA.Sim Pro version 3.1 are hosted by a server maintained by KUKA. When these devices request a model, the server transmits the model in plaintext.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-10635"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-924"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-24T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Simulation models for KUKA.Sim Pro version 3.1 are hosted by a server maintained by KUKA. When these devices request a model, the server transmits the model in plaintext.",
  "id": "GHSA-5crj-p3wq-23w2",
  "modified": "2022-03-05T00:00:58Z",
  "published": "2022-02-25T00:01:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10635"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-098-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5Q3J-G5R8-6RFG

Vulnerability from github – Published: 2025-01-17 12:30 – Updated: 2025-01-17 12:30
VLAI
Details

CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability exists that could cause partial loss of confidentiality, loss of integrity and availability of the HMI when attacker performs man in the middle attack by intercepting the communication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12399"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-924"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-17T10:15:06Z",
    "severity": "MODERATE"
  },
  "details": "CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability\nexists that could cause partial loss of confidentiality, loss of integrity and availability of the HMI when attacker performs\nman in the middle attack by intercepting the communication.",
  "id": "GHSA-5q3j-g5r8-6rfg",
  "modified": "2025-01-17T12:30:40Z",
  "published": "2025-01-17T12:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12399"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-014-02.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-788J-V5XM-H2MQ

Vulnerability from github – Published: 2023-05-25 09:30 – Updated: 2024-04-04 04:20
VLAI
Details

Channel Accessible by Non-Endpoint vulnerability in CBOT Chatbot allows Adversary in the Middle (AiTM).This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2885"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-300",
      "CWE-924"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-25T09:15:12Z",
    "severity": "HIGH"
  },
  "details": "Channel Accessible by Non-Endpoint vulnerability in CBOT Chatbot allows Adversary in the Middle (AiTM).This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7.\n\n",
  "id": "GHSA-788j-v5xm-h2mq",
  "modified": "2024-04-04T04:20:20Z",
  "published": "2023-05-25T09:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2885"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-23-0293"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7GF3-3V44-PWM2

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-04-04 02:12
VLAI
Details

An issue was discovered in the RENPHO application 3.0.0 for iOS. It transmits JSON data unencrypted to a server without an integrity check, if a user changes personal data in his profile tab (e.g., exposure of his birthday) or logs into his account (i.e., exposure of credentials).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-14808"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319",
      "CWE-924"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-09T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in the RENPHO application 3.0.0 for iOS. It transmits JSON data unencrypted to a server without an integrity check, if a user changes personal data in his profile tab (e.g., exposure of his birthday) or logs into his account (i.e., exposure of credentials).",
  "id": "GHSA-7gf3-3v44-pwm2",
  "modified": "2024-04-04T02:12:28Z",
  "published": "2022-05-24T16:58:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14808"
    },
    {
      "type": "WEB",
      "url": "https://apps.apple.com/us/app/renpho/id1219889310"
    },
    {
      "type": "WEB",
      "url": "https://renpho.com/pages/contact-us"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/154772/RENPHO-3.0.0-Information-Disclosure.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-82XM-JWXQ-4436

Vulnerability from github – Published: 2025-07-25 18:30 – Updated: 2026-02-25 18:31
VLAI
Details

An issue in Gardyn 4 allows a remote attacker to obtain sensitive information and execute arbitrary code via a request

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-29628"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77",
      "CWE-924"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-25T17:15:31Z",
    "severity": "HIGH"
  },
  "details": "An issue in Gardyn 4 allows a remote attacker to obtain sensitive information and execute arbitrary code via a request",
  "id": "GHSA-82xm-jwxq-4436",
  "modified": "2026-02-25T18:31:27Z",
  "published": "2025-07-25T18:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29628"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mselbrede/gardyn/blob/main/CVE-2025-29628_CVE-2025-29631.md"
    },
    {
      "type": "WEB",
      "url": "https://mygardyn.com/blog/security-update"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03"
    },
    {
      "type": "WEB",
      "url": "http://gardyn.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9XM2-C28X-G93R

Vulnerability from github – Published: 2023-10-31 12:30 – Updated: 2023-11-08 18:30
VLAI
Details

LINE for Android version 5.0.2 and earlier and LINE for iOS version 5.0.0 and earlier are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-0897"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-924"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-31T10:15:08Z",
    "severity": "MODERATE"
  },
  "details": "LINE for Android version 5.0.2 and earlier and LINE for iOS version 5.0.0 and earlier are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.",
  "id": "GHSA-9xm2-c28x-g93r",
  "modified": "2023-11-08T18:30:30Z",
  "published": "2023-10-31T12:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0897"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN41281927"
    },
    {
      "type": "WEB",
      "url": "http://official-blog.line.me/ja/archives/24809761.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.