Esp Security Vulnerabilities
ESP-IDF is the development framework for Espressif SoCs supported on Windows, Linux and macOS. A Time-of-Check to Time-of-Use (TOCTOU) vulnerability was discovered in the implementation of the ESP-IDF bootloader which could allow an attacker with physical access to flash of the device to bypass...
6.1CVSS
6.6AI Score
0.0004EPSS
The authentication mechanism can be bypassed by overflowing the value of the Cookie "authentication" field, provided there is an active user...
9.8CVSS
9.5AI Score
0.001EPSS
Authenticated user can execute arbitrary commands in the context of the root user by providing payload in the "destination" field of the network test tools. This is similar to the vulnerability CVE-2021-28151 mitigated on the user interface level by blacklisting characters with JavaScript,...
8.8CVSS
8.9AI Score
0.964EPSS
An XSS attack can be performed by changing the MOTD banner and pointing the victim to the "terminal_tool.cgi" path. It can be used together with the vulnerability...
6.1CVSS
7.5AI Score
0.001EPSS
An authenticated user is able to upload an arbitrary CGI-compatible file using the certificate upload utility and execute it with the root user...
8.8CVSS
8.7AI Score
0.001EPSS
The router console is accessible without authentication at "data" field, and while a user needs to be logged in in order to modify the configuration, the session state is shared. If any other user is currently logged in, the anonymous user can execute commands in the context of the authenticated...
9.8CVSS
6.7AI Score
0.001EPSS
The authentication cookies are generated using an algorithm based on the username, hardcoded secret and the up-time, and can be guessed in a reasonable...
7.5CVSS
7.6AI Score
0.001EPSS
User browser may be forced to execute JavaScript and pass the authentication cookie to the attacker leveraging the XSS vulnerability located at "/gui/terminal_tool.cgi" in the "data"...
6.1CVSS
6.2AI Score
0.0005EPSS
The "tokenKey" value used in user authorization is visible in the HTML source of the login...
7.5CVSS
7.4AI Score
0.001EPSS
It is possible to download the configuration backup without authorization and decrypt included passwords using hardcoded static...
7.5CVSS
7.5AI Score
0.001EPSS
Root user password is hardcoded into the device and cannot be changed in the user...
9.8CVSS
9.4AI Score
0.001EPSS
Galaxy Software Services Corporation Vitals ESP is an online knowledge base management portal, it has insufficient filtering and validation during file upload. An authenticated remote attacker with general user privilege can exploit this vulnerability to upload and execute scripts onto arbitrary...
8.8CVSS
8.7AI Score
0.001EPSS
Galaxy Software Services Vitals ESP is vulnerable to using a hard-coded encryption key. An unauthenticated remote attacker can generate a valid token parameter and exploit this vulnerability to access system to operate processes and access data. This issue affects Vitals ESP: from 3.0.8 through...
9.8CVSS
9.4AI Score
0.001EPSS
An issue was discovered on Espressif ESP32 3.0 (ESP32_rev300 ROM) devices. An EMFI attack on ECO3 provides the attacker with a capability to influence the PC value at the CPU context level, regardless of Secure Boot and Flash Encryption status. By using this capability, the attacker can exploit...
6.8CVSS
6.6AI Score
0.0005EPSS
ESPv2 is a service proxy that provides API management capabilities using Google Service Infrastructure. ESPv2 2.20.0 through 2.42.0 contains an authentication bypass vulnerability. API clients can craft a malicious X-HTTP-Method-Override header value to bypass JWT authentication in specific cases.....
9.8CVSS
9.4AI Score
0.001EPSS
Vitals ESP upload function has a path traversal vulnerability. A remote attacker with general user privilege can exploit this vulnerability to access arbitrary system...
6.5CVSS
6.5AI Score
0.001EPSS
ESP-IDF is the official development framework for Espressif SoCs. In Espressif’s Bluetooth Mesh SDK (ESP-BLE-MESH), a memory corruption vulnerability can be triggered during provisioning, because there is no check for the SegN field of the Transaction Start PDU. This can result in memory...
8.8CVSS
8.7AI Score
0.001EPSS
Extensible Service Proxy, a.k.a. ESP is a proxy which enables API management capabilities for JSON/REST or gRPC API services. ESPv1 can be configured to authenticate a JWT token. Its verified JWT claim is passed to the application by HTTP header "X-Endpoint-API-UserInfo", the application can use...
6.4CVSS
5.5AI Score
0.001EPSS
The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield...
8.8CVSS
8.7AI Score
0.001EPSS
The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of continuous unsolicited LMP responses, allowing attackers in radio range to trigger a denial of service (crash) in ESP32 by flooding the target device with LMP Feature Response...
6.5CVSS
6.5AI Score
0.001EPSS
The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of multiple LMP IO Capability Request packets during the pairing process, allowing attackers in radio range to trigger memory corruption (and consequently a crash) in ESP32 via a...
6.5CVSS
6.5AI Score
0.001EPSS
Espressif ESP-IDF 2.x, 3.0.x through 3.0.9, 3.1.x through 3.1.7, 3.2.x through 3.2.3, 3.3.x through 3.3.2, and 4.0.x through 4.0.1 has a Buffer Overflow in BluFi provisioning in btc_blufi_recv_handler function in blufi_prf.c. An attacker can send a crafted BluFi protocol Write Attribute command to....
7.5CVSS
7.7AI Score
0.002EPSS
The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.2 and earlier (for ESP32 devices) does not properly restrict the channel map field of the connection request packet on reception, allowing attackers in radio range to cause a denial of service (crash) via a crafted...
6.5CVSS
6.2AI Score
0.001EPSS
The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.0 through 4.2 (for ESP32 devices) returns the wrong number of completed BLE packets and triggers a reachable assertion on the host stack when receiving a packet with an MIC failure. An attacker within radio range can...
6.5CVSS
6.3AI Score
0.001EPSS
An encryption-bypass issue was discovered on Espressif ESP-IDF devices through 4.2, ESP8266_NONOS_SDK devices through 3.0.3, and ESP8266_RTOS_SDK devices through 3.3. Broadcasting forged beacon frames forces a device to change its authentication mode to OPEN, effectively disabling its 802.11...
6.8CVSS
6.7AI Score
0.001EPSS
An issue was discovered in Espressif ESP-IDF 2.x, 3.0.x through 3.0.9, 3.1.x through 3.1.6, 3.2.x through 3.2.3, and 3.3.x through 3.3.1. An attacker who uses fault injection to physically disrupt the ESP32 CPU can bypass the Secure Boot digest verification at startup, and boot unverified code...
6.8CVSS
7.1AI Score
0.001EPSS
The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 processes EAP Success messages before any EAP method completion or failure, which allows attackers in radio range to cause a denial of service (crash) via a crafted...
6.5CVSS
6.4AI Score
0.001EPSS
The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 allows the installation of a zero Pairwise Master Key (PMK) after the completion of any EAP authentication method, which allows attackers in radio range to replay, decrypt, or spoof...
8.1CVSS
8AI Score
0.001EPSS
An issue was discovered in Espressif ESP-IDF 2.x and 3.x before 3.0.6 and 3.1.x before 3.1.1. Insufficient validation of input data in the 2nd stage bootloader allows a physically proximate attacker to bypass secure boot checks and execute arbitrary code, by crafting an application binary that...
6.4CVSS
6.7AI Score
0.001EPSS
An authenticated attacker can execute arbitrary code using command ejection in Eltex ESP-200 firmware version...
8.8CVSS
8.8AI Score
0.001EPSS
An attacker without authentication can login with default credentials for privileged users in Eltex ESP-200 firmware version...
7.3CVSS
7.3AI Score
0.001EPSS
An authenticated attacker with low privileges can activate high privileged user and use it to expand attack surface in Eltex ESP-200 firmware version...
8.8CVSS
8.2AI Score
0.001EPSS
An authenticated attacker with low privileges can extract password hash information for all users in Eltex ESP-200 firmware version...
6.5CVSS
6.4AI Score
0.001EPSS
An authenticated attacker with low privileges can use insecure sudo configuration to expand attack surface in Eltex ESP-200 firmware version...
8.8CVSS
8.4AI Score
0.001EPSS
SQL injection vulnerability in ConnX ESP HR Management 4.4.0 allows remote attackers to execute arbitrary SQL commands via the ctl00$cphMainContent$txtUserName parameter to...
9.8CVSS
9.9AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in the management interface in Microsoft FAST ESP 5.1.5 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified...
5.8AI Score
0.009EPSS