Total
833 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-51141 | 1 Zkteco | 1 Biotime | 2025-04-18 | 6.5 Medium |
| An issue in ZKTeko BioTime v.8.5.4 and before allows a remote attacker to obtain sensitive information via the Authentication & Authorization component | ||||
| CVE-2025-25952 | 2025-04-18 | 6.5 Medium | ||
| An Insecure Direct Object References (IDOR) in the component /getStudemtAllDetailsById?studentId=XX of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows attackers to access sensitive user information via a crafted API request. | ||||
| CVE-2025-39434 | 2025-04-17 | 4.3 Medium | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Scott Taylor Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Avatar: from n/a through 0.1.4. | ||||
| CVE-2022-34150 | 1 Micodus | 2 Mv720, Mv720 Firmware | 2025-04-16 | 7.1 High |
| The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification. | ||||
| CVE-2022-33944 | 1 Micodus | 2 Mv720, Mv720 Firmware | 2025-04-16 | 6.5 Medium |
| The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter “Device ID,” which accepts arbitrary device IDs. | ||||
| CVE-2025-31933 | 2025-04-16 | 5.3 Medium | ||
| An unauthenticated attacker can check the existence of usernames in the system by querying an API. | ||||
| CVE-2025-31357 | 2025-04-16 | 5.3 Medium | ||
| An unauthenticated attacker can obtain a user's plant list by knowing the username. | ||||
| CVE-2025-31941 | 2025-04-16 | 5.3 Medium | ||
| An unauthenticated attacker can obtain a list of smart devices by knowing a valid username. | ||||
| CVE-2025-27568 | 2025-04-16 | 5.3 Medium | ||
| An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request. | ||||
| CVE-2025-30254 | 2025-04-16 | 5.3 Medium | ||
| An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner's username. | ||||
| CVE-2025-27939 | 2025-04-16 | 7.5 High | ||
| An attacker can change registered email addresses of other users and take over arbitrary accounts. | ||||
| CVE-2025-27938 | 2025-04-16 | 5.3 Medium | ||
| Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms"). | ||||
| CVE-2025-30514 | 2025-04-16 | 5.3 Medium | ||
| Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes"). | ||||
| CVE-2025-31654 | 2025-04-16 | 5.3 Medium | ||
| An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms"). | ||||
| CVE-2025-27719 | 2025-04-16 | 5.3 Medium | ||
| Unauthenticated attackers can query an API endpoint and get device details. | ||||
| CVE-2025-26857 | 2025-04-16 | 5.3 Medium | ||
| Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers). | ||||
| CVE-2025-31945 | 2025-04-16 | 5.3 Medium | ||
| An unauthenticated attacker can obtain other users' charger information. | ||||
| CVE-2025-31950 | 2025-04-16 | 5.3 Medium | ||
| An unauthenticated attacker can obtain EV charger energy consumption information of other users. | ||||
| CVE-2025-27575 | 2025-04-16 | 5.3 Medium | ||
| An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID. | ||||
| CVE-2025-27565 | 2025-04-16 | 5.3 Medium | ||
| An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs. | ||||