Monthly
A weakness has been identified in La Nacion App 10.2.25 on Android.
Authentication bypass in TaleLin Lin-CMS up to version 0.6.0 allows remote attackers to manipulate username and password arguments in the /tests/config.py Tests Folder component, potentially exposing credentials stored in the configuration file. The attack requires high complexity and has been publicly disclosed, but exploitation is considered difficult with an EPSS score of 0.04% indicating very low real-world exploitation probability.
A vulnerability was found in SGAI Space1 NAS N1211DS up to 1.0.915. This issue affects the function GET_FACTORY_INFO/GET_USER_INFO of the file /cgi-bin/JSONAPI of the component gsaiagent. The manipulation results in unprotected storage of credentials. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
A weakness has been identified in Intelbras UnniTI 24.07.11. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A security vulnerability has been detected in Intelbras ICIP 2.0.20. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Hard-coded credentials in Tenda RP3 Pro firmware (versions up to 22.5.7.93) allow local high-privilege attackers to bypass authentication during firmware updates via the force_upgrade.sh script. Public exploit code exists on GitHub. CVSS 7.0 (High) reflects local access requirement with high privileges, making this a lower real-world priority despite the severity rating - exploitation requires an attacker to already have administrative console access to the device.
A vulnerability was found in Tomofun Furbo 360 and Furbo Mini. The affected element is an unknown function of the component Root Account Handler. Performing manipulation results in use of hard-coded password. The attack must be initiated from a local position. The attack is considered to have high complexity. The exploitability is described as difficult. The exploit has been made public and could be used. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.
A vulnerability has been found in Zytec Dalian Zhuoyun Technology Central Authentication Service 3. Affected by this vulnerability is an unknown functionality of the file /index.php/auth/Ops/git of the component HTTP Header Handler. The manipulation of the argument Authorization leads to use of hard-coded password. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A vulnerability was identified in Cudy LT500E up to 2.3.12. Rated low severity (CVSS 2.0). Public exploit code available and no vendor patch available.
A vulnerability was found in Teledyne FLIR FB-Series O and FLIR FH-Series ID 1.3.2.16. It has been classified as problematic. This affects an unknown part. The manipulation leads to use of hard-coded password. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A weakness has been identified in La Nacion App 10.2.25 on Android.
Authentication bypass in TaleLin Lin-CMS up to version 0.6.0 allows remote attackers to manipulate username and password arguments in the /tests/config.py Tests Folder component, potentially exposing credentials stored in the configuration file. The attack requires high complexity and has been publicly disclosed, but exploitation is considered difficult with an EPSS score of 0.04% indicating very low real-world exploitation probability.
A vulnerability was found in SGAI Space1 NAS N1211DS up to 1.0.915. This issue affects the function GET_FACTORY_INFO/GET_USER_INFO of the file /cgi-bin/JSONAPI of the component gsaiagent. The manipulation results in unprotected storage of credentials. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
A weakness has been identified in Intelbras UnniTI 24.07.11. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A security vulnerability has been detected in Intelbras ICIP 2.0.20. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Hard-coded credentials in Tenda RP3 Pro firmware (versions up to 22.5.7.93) allow local high-privilege attackers to bypass authentication during firmware updates via the force_upgrade.sh script. Public exploit code exists on GitHub. CVSS 7.0 (High) reflects local access requirement with high privileges, making this a lower real-world priority despite the severity rating - exploitation requires an attacker to already have administrative console access to the device.
A vulnerability was found in Tomofun Furbo 360 and Furbo Mini. The affected element is an unknown function of the component Root Account Handler. Performing manipulation results in use of hard-coded password. The attack must be initiated from a local position. The attack is considered to have high complexity. The exploitability is described as difficult. The exploit has been made public and could be used. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.
A vulnerability has been found in Zytec Dalian Zhuoyun Technology Central Authentication Service 3. Affected by this vulnerability is an unknown functionality of the file /index.php/auth/Ops/git of the component HTTP Header Handler. The manipulation of the argument Authorization leads to use of hard-coded password. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A vulnerability was identified in Cudy LT500E up to 2.3.12. Rated low severity (CVSS 2.0). Public exploit code available and no vendor patch available.
A vulnerability was found in Teledyne FLIR FB-Series O and FLIR FH-Series ID 1.3.2.16. It has been classified as problematic. This affects an unknown part. The manipulation leads to use of hard-coded password. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.