TLS versions 1.0 and 1.1 are affected by a large number of protocol and implementation vulnerabilities that have been published by security researchers in the last two decades.
Attacks like ROBOT affected the RSA key exchange algorithm, while LogJam and WeakDH showed that many TLS servers could be tricked into using incorrect parameters for other key exchange methods. Compromising a key exchange allows attackers to completely compromise network security and decrypt conversations.
Attacks on symmetric ciphers, such as BEAST or Lucky13, have demonstrated that various ciphers supported in TLS 1.2 and earlier, with examples including RC4 or CBC-mode ciphers, are not secure.
Even signatures were affected, with Bleichenbacher’s RSA signature forgery attack and other similar padding attacks.
Most of these attacks have been mitigated in TLS 1.2 (provided that TLS instances are configured correctly), even though TLS 1.2 is still vulnerable to downgrade attacks, such as POODLE, FREAK, or CurveSwap. This is due to the fact that all versions of the TLS protocol prior to 1.3 don’t protect the handshake negotiation (which decides the protocol version that will be used throughout the exchange).