CVE-2025-2342 IROAD X5 Mobile App API Endpoint hard-coded credentials

A vulnerability classified as critical has been found in IROAD X5 Mobile App up to 5.2.5 on Android. Affected is an unknown function of the component API Endpoint. The manipulation leads to hard-coded credentials. It is possible to launch the attack remotely. The exploit has been disclosed to the...

CVE-2025-2342 IROAD X5 Mobile App API Endpoint hard-coded credentials

A vulnerability classified as critical has been found in IROAD X5 Mobile App up to 5.2.5 on Android. Affected is an unknown function of the component API Endpoint. The manipulation leads to hard-coded credentials. It is possible to launch the attack remotely. The exploit has been disclosed to the...

CVE-2025-29995

This vulnerability exists in the CAP back office application due to a weak password-reset mechanism implemented at API endpoints. An authenticated remote attacker with a valid login ID could exploit this vulnerability through vulnerable API endpoint which could lead to account takeover of targete...

CVE-2025-25711

An issue in dtp.ae tNexus Airport View v.2.8 allows a remote attacker to escalate privileges via the ProfileID value to the /tnexus/rest/admin/updateUser API endpoint...

CVE-2025-29998

This vulnerability exists in the CAP back office application due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoint which could lead to the OTP...

CVE-2025-29994

This vulnerability exists in the CAP back office application due to improper authentication check at the API endpoint. An unauthenticated remote attacker with a valid login ID could exploit this vulnerability by manipulating API input parameters through API request URL/payload leading to...

CVE-2025-29995

This vulnerability exists in the CAP back office application due to a weak password-reset mechanism implemented at API endpoints. An authenticated remote attacker with a valid login ID could exploit this vulnerability through vulnerable API endpoint which could lead to account takeover of targete...

CVE-2025-29998 No Rate Limiting Vulnerability in CAP back office application

This vulnerability exists in the CAP back office application due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoint which could lead to the OTP...

CVE-2025-29998 No Rate Limiting Vulnerability in CAP back office application

This vulnerability exists in the CAP back office application due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoint which could lead to the OTP...

CVE-2025-29998

CVE-2025-29998 affects the CAP back office application. The vulnerability arises from missing rate limiting on OTP requests in a vulnerable API endpoint, allowing an authenticated remote attacker to trigger repeated OTP requests and cause OTP bombing/flooding on the targeted system. Connected sou...

CVE-2025-29994

CVE-2025-29994 affects the CAP back office application. The root cause is an improper authentication check at an API endpoint, allowing an unauthenticated remote attacker with a valid login ID to manipulate API input parameters via URL/payload and gain unauthorized access to other user accounts. ...

CVE-2025-29994 Improper Authentication Vulnerability in CAP back office application

This vulnerability exists in the CAP back office application due to improper authentication check at the API endpoint. An unauthenticated remote attacker with a valid login ID could exploit this vulnerability by manipulating API input parameters through API request URL/payload leading to...

CVE-2024-13871

CVE-2024-13871 affects Bitdefender Box 1 with firmware 1.3.11.490. The vulnerability is a command injection in the "/check_image_and_trigger_recovery" API endpoint that allows an unauthenticated, network-adjacent attacker to execute arbitrary commands, potentially enabling full remote code execut...

CVE-2025-25711

CVE-2025-25711 affects dtp.ae tNexus Airport View v2.8. A remote attacker can escalate privileges by manipulating the ProfileID value via the /tnexus/rest/admin/updateUser API endpoint. The issue is described as an elevation of privilege (ProfileID parameter misuse) with the public metrics indica...

PT-2025-17636

Name of the Vulnerable Software and Affected Versions Tenda AC9 version 1.0 with firmware V15.03.05.14 multi Description The security parameter of the "/goform/WifiBasicSet" API endpoint has a stack overflow vulnerability, which can lead to remote arbitrary code execution. Recommendations For Ten...

PT-2025-11032 · Bitdefender · Bitdefender Box

Name of the Vulnerable Software and Affected Versions: Bitdefender Box 1 version 1.3.11.490 Description: A command injection vulnerability exists in the "/check image and trigger recovery" API endpoint, allowing an unauthenticated, network-adjacent attacker to execute arbitrary commands on the...

PT-2025-11033 · Bitdefender · Bitdefender Box

Name of the Vulnerable Software and Affected Versions: Bitdefender Box versions 1.3.11.490 through 1.3.11.505 Description: The issue concerns the use of the insecure HTTP protocol to download assets over the Internet for updating and restarting daemons and detection rules on devices. Updates can ...

CVE-2025-25711

An issue in dtp.ae tNexus Airport View v.2.8 allows a remote attacker to escalate privileges via the ProfileID value to the /tnexus/rest/admin/updateUser API endpoint...

NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page

Summary The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting. Details Throughout the source-code analysis, it has been found that the endpoint /api/v1/db/auth/password/reset/:tokenId is vulnerable to Reflected Cross-Site-Scripting. The flaw occur...

CVE-2025-27506

NocoDB is affected by a Reflected Cross‑Site Scripting vulnerability in the password-reset API. The endpoint /api/v1/db/auth/password/reset/:tokenId can render unescaped user input due to an insecure EJS usage in resetPassword.ts (renderPasswordReset), enabling script execution in victims’ browse...