Common Weakness Enumeration

CWE-297

Allowed

Improper Validation of Certificate with Host Mismatch

Abstraction: Variant · Status: Incomplete

The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.

101 vulnerabilities reference this CWE, most recent first.

GHSA-XWF9-WF96-C767

Vulnerability from github – Published: 2026-06-16 03:30 – Updated: 2026-06-16 15:33
VLAI
Details

Improper host validation in the social login autofill feature in Devolutions Remote Desktop Manager 2026.2.8 allows an attacker to disclose stored social login credentials via a crafted web entry pointing to a provider lookalike domain.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12162"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-297"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-16T01:16:23Z",
    "severity": "MODERATE"
  },
  "details": "Improper host validation in the social login autofill feature in \nDevolutions Remote Desktop Manager 2026.2.8 allows an attacker to \ndisclose stored social login credentials via a crafted web entry \npointing to a provider lookalike domain.",
  "id": "GHSA-xwf9-wf96-c767",
  "modified": "2026-06-16T15:33:47Z",
  "published": "2026-06-16T03:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12162"
    },
    {
      "type": "WEB",
      "url": "https://devolutions.net/security/advisories/DEVO-2026-0018"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Fully check the hostname of the certificate and provide the user with adequate information about the nature of the problem and how to proceed.

Mitigation
Implementation

If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.

No CAPEC attack patterns related to this CWE.