324 matches found
CVE-2025-31360
Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users...
CVE-2025-31654
An attacker can get information about the groups of the smart home devices for arbitrary users i.e., "rooms"...
CVE-2025-31147
Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users...
CVE-2025-31360
Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users...
CVE-2025-27561
Unauthenticated attackers can rename "rooms" of arbitrary users...
CVE-2025-26857
Unauthenticated attackers can rename arbitrary devices of arbitrary users i.e., EV chargers...
PT-2025-16530
Name of the Vulnerable Software and Affected Versions The product name cannot be determined. Description The issue allows unauthenticated attackers to rename "rooms" of arbitrary users. This can potentially lead to unauthorized modifications of user settings or data. Recommendations At the moment...
CVE-2024-13771
The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of user validation before changing a password. This makes it possible for unauthenticated attackers to change...
CVE-2025-26342
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create arbitrary users, including administrators, via crafted HTTP requests...
CVE-2025-26342
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create arbitrary users, including administrators, via crafted HTTP requests...
CVE-2025-26342
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create arbitrary users, including administrators, via crafted HTTP requests...
CVE-2025-26342
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create arbitrary users, including administrators, via crafted HTTP requests...
Q-Free MAXTIME Suite 访问控制错误漏洞
Q-Free MAXTIME Suite is a software suite for local traffic signal management from Q-Free. An access control error vulnerability exists in Q-Free MAXTIME Suite version 2.11.0 and prior versions, which stems from a lack of authentication for critical functions in maxprofile/accounts/routes.lua. An...
CVE-2024-11349 AdForest <= 5.1.6 - Authentication Bypass
The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.6. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the sbloginuserwithotpfun function. This makes it possible for unauthenticat...
CVE-2024-11349
The CVE-2024-11349 entry concerns the AdForest WordPress theme (≤5.1.6). The vulnerability is an authentication bypass caused by the plugin not properly verifying a user's identity before authenticating via sb_login_user_with_otp_fun(). As a result, unauthenticated attackers can log in as arbitra...
NUUO NVRmini2 Devices Missing Authentication Vulnerability
NUUO NVRmini2 devices contain a missing authentication vulnerability that allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users...
CVE-2024-52283
CVE-2024-52283 is described in public sources as a stored XSS vulnerability caused by missing input sanitization. The available connected documents indicate the vulnerability can be triggered when viewing a specific project, with a CVSS 3.1 base score of 5.7 (Medium) and an influence pattern of N...
CVE-2024-11069
The WordPress GDPR plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'WordPressGDPRDataDelete::checkaction' function in all versions up to, and including, 2.0.2. This makes it possible for unauthenticated attackers to delete arbitrary users...
CVE-2024-11069
CVE-2024-11069 : WordPress GDPR plugin for WordPress allows unauthenticated deletion of arbitrary users due to a missing capability check in WordPress_GDPR_Data_Delete::check_action, affecting versions up to 2.0.2. Connected sources confirm the issue and indicate a patch/update path; Red Hat and ...
Moodle's IDOR in Feedback non-respondents report allows messaging arbitrary site users
A flaw was found in Feedback. Bulk messaging in the activity's non-respondents report did not verify message recipients belonging to the set of users returned by the report...