Longjing Technology BEMS API 1.21 - Unauthenticated Arbitrary File Download

Longjing Technology BEMS API 1.21 is vulnerable to local file inclusion. Input passed through the fileName parameter through the downloads API endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files...

KevinLAB BEMS 1.0 - SQL Injection

KevinLAB BEMS 1.0 contains a SQL injection vulnerability. Input passed through inputid POST parameter in /http/index.php is not properly sanitized before being returned to the user or used in SQL queries. An attacker can possibly obtain sensitive information from a database, modify data, and...

CVE-2021-4463

Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the 'downloads' endpoint. The 'fileName' parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the...

CVE-2021-4463

CVE-2021-4463 affects Longjing Technology BEMS API versions up to 1.21. The vulnerability exists in the downloads endpoint where the fileName parameter is not properly sanitized, enabling an attacker to perform path traversal and download arbitrary files outside the intended directory without aut...

CVE-2021-4463 Longjing Technology BEMS API <= 1.21 Remote Arbitrary File Download

Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the 'downloads' endpoint. The 'fileName' parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the...

Longjing BEMS API 安全漏洞

The Longjing BEMS API is an interface to the Battery Energy Management System BEMS from China's Longjing. A security vulnerability exists in Longjing BEMS API version 1.21 and earlier, which stems from an arbitrary file download issue in the downloads endpoint that could result in access to...

ABB Cylon Aspect 3.08.00 fileSystemUpdate.php File Upload / Denial Of Service

ABB Cylon Aspect 3.08.00 fileSystemUpdate.php Insecure File Upload Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: =3.08.00 Summary: ASPECT is an award-winning scalable building energy management...

ABB Cylon Aspect 3.08.00 (fileSystemUpdate.php) Insecure File Upload

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Description A vulnerability exists in the fileSystemUpdate.php endpoint of the AB...

VulnCheck KEV: CVE-2021-37291

An SQL Injection vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 ivia the inputid POST parameter in index.php...

bems-solutions.de Improper Access Control vulnerability OBB-3772398

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

KevinLAB Building Energy Management System跨站请求伪造漏洞

KevinLAB Building Energy Management System is a building energy management system from KevinLAB Korea.A cross-site request forgery vulnerability exists in KevinLAB Building Energy Management System version 4ST BEMS 1.0.0 and is currently No detailed vulnerability details are available...

KevinLAB Building Energy Management System SQL注入漏洞

KevinLAB Building Energy Management System is a building energy management system from KevinLAB Korea. SQL injection vulnerability exists in KevinLAB Building Energy Management System version 4ST BEMS 1.0.0, which originates from a missing validation of external input SQL statements in the inputi...

CVE-2021-37292

An Access Control vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 due to an undocumented backdoor account. A malicious user can log in using the backdor account with admin highest privileges and obtain system control...

CVE-2021-37291

An SQL Injection vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 ivia the inputid POST parameter in index.php...

Directory traversal

A Directory Traversal vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 via the page GET parameter in index.php...

Sql injection

An SQL Injection vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 ivia the inputid POST parameter in index.php...

CVE-2021-37292

CVE-2021-37292 affects KevinLAB Building Energy Management System 4ST BEMS 1.0.0. The NUCLEI template confirms an undocumented backdoor account with admin-level privileges enables login and full remote control, bypassing authentication. Impact is full system control and remote administration. Mit...

CVE-2021-37292

An Access Control vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 due to an undocumented backdoor account. A malicious user can log in using the backdor account with admin highest privileges and obtain system control...

CVE-2021-37293

CVE-2021-37293 affects KevinLAB Building Energy Management System 4ST BEMS 1.0.0. A directory traversal/file path disclosure vulnerability exists in index.php where the input passed via the page GET parameter is used to include files. The ZSL report indicates an authenticated file disclosure path...

CVE-2021-37293

A Directory Traversal vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 via the page GET parameter in index.php...