EUVD-2019-4182

Malware in sbrugna...

EUVD-2020-3404

Malware in sbrugna...

EUVD-2024-0877

Malicious code in bioql PyPI...

CVE-2019-12588

The client 802.11 mac implementation in Espressif ESP8266NONOSSDK 2.2.0 through 3.1.0 does not validate correctly the RSN AuthKey suite list count in beacon frames, probe responses, and association responses, which allows attackers in radio range to cause a denial of service crash via a crafted...

CVE-2020-11015

A vulnerability has been disclosed in thinx-device-api IoT Device Management Server before version 2.5.0. Device MAC address can be spoofed. This means initial registration requests without UDID and spoofed MAC address may pass to create new UDID with same MAC address. Full impact needs to be...

CVE-2024-27287

ESPHome’s CVE-2024-27287 affects the dashboard’s edit API in ESPHome 2023.12.9 up to 2024.2.1 (prior to 2024.2.2). A remote, authenticated user can inject arbitrary JavaScript via the /edit endpoint by posting to /edit?configuration=[file], storing unsanitized data in a page served with Content-T...

CVE-2024-27287 ESPHome vulnerable to stored Cross-site Scripting in edit configuration file API

ESPHome is a system to control your ESP8266/ESP32 for Home Automation systems. Starting in version 2023.12.9 and prior to version 2024.2.2, editing the configuration file API in dashboard component of ESPHome version 2023.12.9 command line installation and Home Assistant add-on serves unsanitized...

CVE-2024-27081

CVE-2024-27081 concerns ESPHome, where a security misconfiguration in the dashboard’s edit-configuration API (affecting the 2023.12.9 CLI installation) allowed authenticated remote attackers to read and write arbitrary files under the configuration directory, potentially yielding remote code exec...

CVE-2020-11015 Device Authentication Vulnerability in thinx-device-api IoT Device Management Server

A vulnerability has been disclosed in thinx-device-api IoT Device Management Server before version 2.5.0. Device MAC address can be spoofed. This means initial registration requests without UDID and spoofed MAC address may pass to create new UDID with same MAC address. Full impact needs to be...

CVE-2020-11015

CVE-2020-11015 affects the thinx-device-api IoT Device Management Server prior to firmware 2.5.0. The root issue allows a spoofed MAC address to bypass UDID checks during initial registration, potentially enabling creation of a new UDID with the same MAC address (noted to apply to ESP8266/ESP32 d...

PYSEC-2021-351

ESPHome is a system to control the ESP8266/ESP32. Anyone with webserver enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which webserver allows over-the-air OTA updates without checking user defined basic auth username & password. This issue is...

Default credentials

ESPHome is a system to control the ESP8266/ESP32. Anyone with webserver enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which webserver allows over-the-air OTA updates without checking user defined basic auth username & password. This issue is...

CVE-2020-12638

The CVE affects Espressif IoT SDKs: ESP-IDF up to 4.2, ESP8266_NONOS_SDK up to 3.0.3, and ESP8266_RTOS_SDK up to 3.3. A forged-beacon-frame exploit forces a device to switch its authentication mode to OPEN, effectively disabling 802.11 encryption. The underlying issue is an encryption bypass trig...

CVE-2020-11015

A vulnerability has been disclosed in thinx-device-api IoT Device Management Server before version 2.5.0. Device MAC address can be spoofed. This means initial registration requests without UDID and spoofed MAC address may pass to create new UDID with same MAC address. Full impact needs to be...

Design/Logic Flaw

A vulnerability has been disclosed in thinx-device-api IoT Device Management Server before version 2.5.0. Device MAC address can be spoofed. This means initial registration requests without UDID and spoofed MAC address may pass to create new UDID with same MAC address. Full impact needs to be...

Xmas Light Security Improves… a bit

We've looked at smart Xmas lights before; whilst they were vulnerable, there was no consequence to the hack other than making them flash in a different order! In 2018 we looked at the all-new Twinkly smart festive lights. We found a number of security issues, reported them to the vendor and to a...

CVE-2019-12586

CVE-2019-12586 affects Espressif ESP-IDF (2.0.0–4.0.0) and ESP8266_NONOS_SDK (2.2.0–3.1.0): the EAP peer processes EAP Success messages before any EAP method completion, enabling a radio‑range attacker to crash the device (DoS) via a crafted message. Red Hat and OSV entries confirm the same descr...

CVE-2019-12588

CVE-2019-12588 affects the Espressif ESP8266_NONOS_SDK 2.2.0–3.1.0, where the 802.11 MAC implementation fails to validate the RSN AuthKey suite list count in beacon frames, probe responses, and association responses. This can be exploited by an attacker in radio range to crash the device via a cr...

Cesanta Mongoose OS - Use-After-Free Vulnerability

Exploit for hardware platform in category dos / poc Product: Mongoose OS Vendor: Cesanta CVE ID: CVE-2017-7185 CSNC ID: CSNC-2017-003 Subject: Use-after-free / Denial of Service Risk: Medium Effect: Remotely exploitable Authors: Philipp Promeuschel Carel van Rooyen Stephan Sekula Date: 2017-04-03...

Cesanta Mongoose OS - Use-After-Free

Cesanta Mongoose OS - Use-After-Free COMPASS SECURITY ADVISORY https://www.compass-security.com/en/research/advisories/ Product: Mongoose OS Vendor: Cesanta CVE ID: CVE-2017-7185 CSNC ID: CSNC-2017-003 Subject: Use-after-free / Denial of Service Risk: Medium Effect: Remotely exploitable Authors:...