CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-41681 – Persistent Cross-Site Scripting via POST Requests Due to Improper Neutralization of Input
https://notcve.org/view.php?id=CVE-2025-41681
21 Jul 2025 — A high privileged remote attacker can gain persistent XSS via POST requests due to improper neutralization of special elements used to create dynamic content. • https://certvde.com/de/advisories/VDE-2025-058 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-41679 – Unauthenticated Buffer Overflow in Conftool Service Leading to Denial of Service
https://notcve.org/view.php?id=CVE-2025-41679
21 Jul 2025 — An unauthenticated remote attacker could exploit a buffer overflow vulnerability in the device causing a denial of service that affects only the network initializing wizard (Conftool) service. • https://certvde.com/de/advisories/VDE-2025-058 • CWE-787: Out-of-bounds Write •
CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0CVE-2025-41678 – SQL Injection via POST Requests Allowing Configuration Database Manipulation
https://notcve.org/view.php?id=CVE-2025-41678
21 Jul 2025 — A high privileged remote attacker can alter the configuration database via POST requests due to improper neutralization of special elements used in a SQL statement. • https://certvde.com/de/advisories/VDE-2025-058 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-41677 – Resource Exhaustion via POST Requests to send-mail Action
https://notcve.org/view.php?id=CVE-2025-41677
21 Jul 2025 — A high privileged remote attacker can exhaust critical system resources by sending specifically crafted POST requests to the send-mail action in fast succession. • https://certvde.com/de/advisories/VDE-2025-058 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-41676 – Resource Exhaustion via POST Requests to send-sms Action
https://notcve.org/view.php?id=CVE-2025-41676
21 Jul 2025 — A high privileged remote attacker can exhaust critical system resources by sending specifically crafted POST requests to the send-sms action in fast succession. • https://certvde.com/de/advisories/VDE-2025-058 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-41675 – Remote Command Injection via GET in Cloud Server Communication Script Due to Improper Input Neutralization
https://notcve.org/view.php?id=CVE-2025-41675
21 Jul 2025 — A high privileged remote attacker can execute arbitrary system commands via GET requests in the cloud server communication script due to improper neutralization of special elements used in an OS command. • https://certvde.com/de/advisories/VDE-2025-058 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-41674 – Remote Command Injection in diagnostic Action Due to Improper Input Neutralization
https://notcve.org/view.php?id=CVE-2025-41674
21 Jul 2025 — A high privileged remote attacker can execute arbitrary system commands via POST requests in the diagnostic action due to improper neutralization of special elements used in an OS command. • https://certvde.com/de/advisories/VDE-2025-058 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-41673 – Remote Command Injection in send_sms Action Due to Improper Input Neutralization
https://notcve.org/view.php?id=CVE-2025-41673
21 Jul 2025 — A high privileged remote attacker can execute arbitrary system commands via POST requests in the send_sms action due to improper neutralization of special elements used in an OS command. • https://certvde.com/de/advisories/VDE-2025-058 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-23943 – MB connect line: Cloud API access due to a lack of authentication for a critical function
https://notcve.org/view.php?id=CVE-2024-23943
18 Mar 2025 — An unauthenticated remote attacker can gain access to the cloud API due to a lack of authentication for a critical function in the affected devices. Availability is not affected. • https://cert.vde.com/en/advisories/VDE-2024-010 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-23942 – MB connect line: Configuration File on the client workstation is not encrypted
https://notcve.org/view.php?id=CVE-2024-23942
18 Mar 2025 — A local user may find a configuration file on the client workstation with unencrypted sensitive data. This allows an attacker to impersonate the device or prevent the device from accessing the cloud portal which leads to a DoS. • https://cert.vde.com/en/advisories/VDE-2024-010 • CWE-311: Missing Encryption of Sensitive Data •