Security Vulnerabilities
- CVEs Published In April 2025
An unauthenticated attacker can obtain EV charger energy consumption information of other users.
Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account.
An attacker can upload an arbitrary file instead of a plant image.
Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off).
Unauthenticated attackers can query an API endpoint and get device details.
Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression.
An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API.
Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.
Cross Site Scripting vulnerability in Nagios Log Server v.2024R1.3.1 allows a remote attacker to execute arbitrary code via a payload into the Email field.
An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID.