Medium
CVSS: 5.0
Yayın: 2025-01-23 18:15:33
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.2.0, when sharing an item, a typical user can specify an arbitrary role. It allows the user to use a higher-privileged role to see fields that otherw…
Low
CVSS: 3.2
Yayın: 2025-01-23 18:15:33
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Starting in version 0.7.0 and prior to versions 0.7.15 and 0.8.3, Himmelblau is vulnerable to leaking credentials in debug logs. When debug logging is enabled, user acce…
High
CVSS: 7.5
Yayın: 2025-01-23 18:15:33
@fastify/multipart is a Fastify plugin for parsing the multipart content-type. Prior to versions 8.3.1 and 9.0.3, the `saveRequestFiles` function does not delete the uploaded temporary files when user cancels the request. The issue is fixed in versio…
Medium
CVSS: 6.4
Yayın: 2025-01-23 18:15:33
IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.11 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended funct…
High
CVSS: 7.9
Yayın: 2025-01-23 18:15:33
RestrictedPython is a tool that helps to define a subset of the Python language which allows to provide a program input into a trusted environment. Via a type confusion bug in versions of the CPython interpreter starting in 3.11 and prior to 3.13.2 w…
Medium
CVSS: 6.7
Yayın: 2025-01-23 18:15:32
Xerox Workplace Suite has weak default folder permissions that allow unauthorized users to access, modify, or delete files
Medium
CVSS: 5.3
Yayın: 2025-01-23 18:15:32
A mail spoofing vulnerability in Xerox Workplace Suite allows attackers to forge email headers, making it appear as though messages are sent from trusted sources.
Medium
CVSS: 6.5
Yayın: 2025-01-23 18:15:32
Xerox Workplace Suite exposes sensitive secrets in clear text, both locally and remotely. This vulnerability allows attackers to intercept or access secrets without encryption
High
CVSS: 7.6
Yayın: 2025-01-23 18:15:31
A vulnerability in Xerox Workplace Suite arises from flawed token generation and the use of hard-coded keys. These weaknesses allow attackers to predict or forge tokens, leading to unauthorized access to sensitive functions.
High
CVSS: 7.6
Yayın: 2025-01-23 18:15:31
A vulnerability found in Xerox Workplace Suite allows arbitrary file read, upload, and deletion on the server through crafted header manipulation. By exploiting improper validation of headers, attackers can gain unauthorized access to data
Medium
CVSS: 6.0
Yayın: 2025-01-23 18:15:30
IBM Security Verify Bridge 1.0.0 through 1.0.15 could allow a local privileged user to overwrite files due to excessive privileges granted to the agent. which could also cause a denial of service.
High
CVSS: 8.1
Yayın: 2025-01-23 17:15:22
A flaw was found in the Open Virtual Network (OVN). Specially crafted UDP packets may bypass egress access control lists (ACLs) in OVN installations configured with a logical switch with DNS records set on it and if the same switch has any egress ACL…
High
CVSS: 7.5
Yayın: 2025-01-23 17:15:15
In Xerox Workplace Suite, an API restricted to specific hosts can be bypassed by manipulating the Host header. If the server improperly validates or trusts the Host header without verifying the actual destination, an attacker can forge a value to gai…
High
CVSS: 7.7
Yayın: 2025-01-23 17:15:14
ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.
Critical
CVSS: 9.5
Yayın: 2025-01-23 17:15:14
ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.
Critical
CVSS: 9.5
Yayın: 2025-01-23 17:15:14
ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens.
Low
CVSS: 1.8
Yayın: 2025-01-23 17:15:14
ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on.
Medium
CVSS: 6.0
Yayın: 2025-01-23 17:15:13
The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed.
Medium
CVSS: 4.8
Yayın: 2025-01-23 17:15:13
ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism.
Medium
CVSS: 5.3
Yayın: 2025-01-23 17:15:13
ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key.