With CVE-2019-5456 I found a security vulnerability in Unifi Controller which enabled an attacker to catch emails sent by the controller even if the TLS should have been enforced. The attack was possible as the controller didn’t validate the server side certificate. Even worse the connection could be downgraded to plaintext if the server didn’t […]