A huge number of protocol and implementation flaws have been reported by security researchers in the last two decades that affect TLS versions 1.0 and 1.1. Attacks such as ROBOT had an impact on the RSA key exchange algorithm, while LogJam and WeakDH demonstrated that many TLS servers might be misled into providing erroneous parameters for alternative key exchange techniques. Attackers can totally compromise network security and decrypt talks by compromising a key exchange.
Various cyphers allowed in TLS 1.2 and earlier, such as RC4 or CBC-mode cyphers, have been proved to be insecure by attacks on symmetric cyphers such as BEAST or Lucky13.
With Bleichenbacher’s RSA signature forging attack and other related padding attacks, even signatures were vulnerable.
Even though TLS 1.2 is still vulnerable to downgrade attacks like POODLE, FREAK, or CurveSwap, the majority of these attacks have been neutralised in TLS 1.2 (assuming that TLS instances are configured correctly). Because all versions of the TLS protocol before to 1.3 do not safeguard the handshake negotiation, this is the case (which decides the protocol version that will be used throughout the exchange).