5 results (0.007 seconds)

CVSS: 7.5EPSS: 0%CPEs: 18EXPL: 0

Insecure Permissions vulnerability in Connectivity Standards Alliance Matter Official SDK v.1.1.0.0 , Nanoleaf Light strip v.3.5.10, Govee LED Strip v.3.00.42, switchBot Hub2 v.1.0-0.8, Phillips hue hub v.1.59.1959097030, and yeelight smart lamp v.1.12.69 allows a remote attacker to cause a denial of service via a crafted script to the KeySetRemove function. Vulnerabilidad de permisos inseguros en Connectivity Standards Alliance Matter Official SDK v.1.1.0.0, Nanoleaf Light strip v.3.5.10, Govee LED Strip v.3.00.42, switchBot Hub2 v.1.0-0.8, Phillips hue hub v.1.59.1959097030 y yeelight smart lamp v.1.12.69 permite que un atacante remoto provoque una denegación de servicio mediante un script manipulado para la función KeySetRemove. • https://github.com/IoT-Fuzz/IoT-Fuzz/blob/main/Remove%20Key%20Set%20Vulnerability%20Report.pdf https://github.com/project-chip/connectedhomeip/issues/28518 https://github.com/project-chip/connectedhomeip/issues/28679 • CWE-732: Incorrect Permission Assignment for Critical Resource •

CVSS: 2.4EPSS: 0%CPEs: 22EXPL: 0

Philips Gemini PET/CT family software stores sensitive information in a removable media device that does not have built-in access control. El software de la familia Philips Gemini PET/CT, almacena información confidencial en un dispositivo de medios extraíbles que no presenta un control de acceso incorporado • https://www.cisa.gov/uscert/ics/advisories/icsma-21-084-01 https://www.philips.com/productsecurity • CWE-921: Storage of Sensitive Data in a Mechanism without Access Control CWE-922: Insecure Storage of Sensitive Information •

CVSS: 6.8EPSS: 0%CPEs: 10EXPL: 0

Multiple cross-site request forgery (CSRF) vulnerabilities in the User Protect module 5.x before 5.x-1.4 and 6.x before 6.x-1.3, a module for Drupal, allow remote attackers to hijack the authentication of administrators for requests that (1) delete the editing protection of a user or (2) delete a certain type of administrative-bypass rule. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en el módulo User Protect v5.x anteriores a v5.x-1.4 y v6.x anteriores a v6.x-1.3, módulo para Drupal, permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones que (1) elimine la protección de edición de un usuario y (2) elimine ciertos tipos de reglas de prevención de administración. • http://drupal.org/node/623162 http://drupal.org/node/623180 http://drupal.org/node/623186 http://osvdb.org/59692 http://secunia.com/advisories/37283 http://www.securityfocus.com/bid/36922 https://exchange.xforce.ibmcloud.com/vulnerabilities/54145 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 6.8EPSS: 0%CPEs: 8EXPL: 0

Unspecified vulnerability in LoginToboggan 6.x-1.x before 6.x-1.5, a module for Drupal, when "Allow users to login using their e-mail address" is enabled, allows remote blocked users to bypass intended access restrictions via unspecified vectors. Vulnerabilidad sin especificar en el módulo para Drupal LoginToboggan v6.x-1.x anterior a v6.x-1.5, cuando "Se permite el login de usuarios usando la dirección de correo electrónico", permite a usuarios remotos bloqueados evitar las restricciones de acceso a través de vectores no especificados. • http://drupal.org/node/461662 http://drupal.org/node/461682 http://secunia.com/advisories/35081 http://www.osvdb.org/54428 http://www.securityfocus.com/bid/34945 http://www.vupen.com/english/advisories/2009/1312 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0

The person-to-person secure messaging feature in Sticker before 3.1.0 beta 2 allows remote attackers to post messages to unauthorized private groups by using the group's public encryption key. • http://securitytracker.com/id?1011580 http://www.osvdb.org/10662 http://www.securityfocus.com/bid/11333 http://www.tickertape.org/projects/sticker/release_notes-3.1.0b2.html https://exchange.xforce.ibmcloud.com/vulnerabilities/17664 •