Improper access control

A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller SHC before 9.8.905 that may result in a successful denial of service of the SHC and connected sensors and actuators. In order to exploit the vulnerability, the adversary needs to...

Improper access control

A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller SHC before 9.8.905 that may result in reading or modification of the SHC's configuration or triggering and restoring backups. In order to exploit the vulnerability, the adversary...

CVE-2019-11892

A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller SHC before 9.8.905 that may result in reading or modification of the SHC's configuration or triggering and restoring backups. In order to exploit the vulnerability, the adversary...

CVE-2019-11895 Improper access control in the JSON-RPC interface of the Bosch Smart Home Controller (SHC)

A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller SHC before 9.8.905 that may result in a successful denial of service of the SHC and connected sensors and actuators. In order to exploit the vulnerability, the adversary needs to...

CVE-2019-11895

The CVE-2019-11895 entry concerns an improper access control vulnerability in the JSON-RPC interface of the Bosch Smart Home Controller (SHC) prior to 9.8.905, which can lead to denial of service affecting the SHC and connected sensors/actuators. Exposure requires the attacker to have already pai...

CVE-2019-11892 Improper access control in the JSON-RPC interface of the Bosch Smart Home Controller (SHC)

A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller SHC before 9.8.905 that may result in reading or modification of the SHC's configuration or triggering and restoring backups. In order to exploit the vulnerability, the adversary...

CVE-2019-11892

The CVE-2019-11892 issue affects the Bosch Smart Home Controller (SHC) JSON-RPC interface. Affected component: SHC’s JSON-RPC layer. Root cause: improper access control could allow reading or modification of SHC configuration and could trigger and restore backups. Exploitation requirements: an at...

CVE-2018-20487

An issue was discovered in the firewall3 component in Inteno IOPSYS 1.0 through 3.16. The attacker must make a JSON-RPC method call to add a firewall rule as an "include" and point the "path" argument to a malicious script or binary. This gets executed as root when the firewall changes are...

CVE-2018-20487

An issue was discovered in the firewall3 component in Inteno IOPSYS 1.0 through 3.16. The attacker must make a JSON-RPC method call to add a firewall rule as an "include" and point the "path" argument to a malicious script or binary. This gets executed as root when the firewall changes are...

Design/Logic Flaw

An issue was discovered in the firewall3 component in Inteno IOPSYS 1.0 through 3.16. The attacker must make a JSON-RPC method call to add a firewall rule as an "include" and point the "path" argument to a malicious script or binary. This gets executed as root when the firewall changes are...

CVE-2018-20487

This CVE affects the firewall3 component of Inteno IOPSYS 1.0–3.16. A JSON-RPC call to add a firewall rule as an “include” can point the path to a malicious script/binary, which is executed as root when changes are committed. Affected software: Inteno IOPSYS firewall3. Root-level impact: arbitrar...

CVE-2018-20487

An issue was discovered in the firewall3 component in Inteno IOPSYS 1.0 through 3.16. The attacker must make a JSON-RPC method call to add a firewall rule as an "include" and point the "path" argument to a malicious script or binary. This gets executed as root when the firewall changes are...

CVE-2018-15490

An issue was discovered in ExpressVPN on Windows. The Xvpnd.exe process which runs as a service with SYSTEM privileges listens on TCP port 2015, which is used as an RPC interface for communication with the client side of the ExpressVPN application. A JSON-RPC protocol over HTTP is used for...

Path traversal

An issue was discovered in ExpressVPN on Windows. The Xvpnd.exe process which runs as a service with SYSTEM privileges listens on TCP port 2015, which is used as an RPC interface for communication with the client side of the ExpressVPN application. A JSON-RPC protocol over HTTP is used for...

CVE-2018-15490

ExpressVPN for Windows contains a path traversal vulnerability in the JSON-RPC methods XVPN.GetPreference and XVPN.SetPreference within the Xvpnd.exe service (running with SYSTEM privileges). The Xvpnd RPC interface listens on TCP port 2015 and communicates over HTTP, allowing a local attacker to...

CVE-2018-15490

An issue was discovered in ExpressVPN on Windows. The Xvpnd.exe process which runs as a service with SYSTEM privileges listens on TCP port 2015, which is used as an RPC interface for communication with the client side of the ExpressVPN application. A JSON-RPC protocol over HTTP is used for...

Neto - A Tool To Analyse Browser Extensions

Project Neto is a Python 3 package conceived to analyse and unravel hidden features of browser plugins and extensions for well-known browsers such as Firefox and Chrome. It automates the process of unzipping the packaged files to extract these features from relevant resources in a extension like...

Hackers Stole Over $20 Million in Ethereum from Insecurely Configured Clients

Security researchers have been warning about cybercriminals who have made over 20 million dollars in just past few months by hijacking insecurely configured Ethereum nodes exposed on the Internet. Qihoo 360 Netlab in March tweeted about a group of cybercriminals who were scanning the Internet for...

Quest NetVault Backup NVBUBackup Count Method SQL Injection (CVE-2017-17652)

An SQL injection vulnerability exists in the Server Process Manager Service of Quest NetVault Backup. The vulnerability is due to improper validation of user-supplied input on JSON-RPC requests invoking the Count method of the NVBUBackup class...

Quest NetVault Backup NVBUEventHistory Get Method SQL Injection (CVE-2017-17412)

An SQL injection vulnerability exists in the Server Process Manager Service of Quest NetVault Backup. The vulnerability is due to improper validation of user-supplied input on JSON-RPC requests invoking the Get method of the NVBUEventHistory class...