Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off).
Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms").
An unauthenticated attacker can obtain a list of smart devices by knowing a valid username.
An authenticated attacker can obtain any plant name by knowing the plant ID.
An unauthenticated attacker can check the existence of usernames in the system by querying an API.
An unauthenticated attacker can obtain other users' charger information.
An unauthenticated attacker can obtain EV charger energy consumption information of other users.
An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms").
Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users.
An unauthenticated attacker can obtain a user's plant list by knowing the username.
An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner's username.
Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account.
Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes").
Unauthenticated attackers can rename "rooms" of arbitrary users.
An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API.
Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.
Unauthenticated attackers can query an API endpoint and get device details.
An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request.
An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs.
An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID.
An attacker can change registered email addresses of other users and take over arbitrary accounts.
Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers).
Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users).
An unauthenticated attacker can infer the existence of usernames in the system by querying an API.
An attacker can export other users' plant information.
An unauthenticated attacker can hijack other users' devices and potentially control them.
Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID. The code that causes the problem is in routes/post.py.
PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Insecure Direct Object Reference (IDOR) in odms/request-details.php.
A vulnerability was found in Tutorials-Website Employee Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/delete-user.php. The manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to revoke any team invitations on a Coolify instance by only providing a predictable and incrementing ID, resulting in a Denial-of-Service attack (DOS). Version 4.0.0-beta.361 fixes the issue.