MicroDicom DICOM Viewer is vulnerable to an out-of-bounds read which may allow an attacker to cause memory corruption within the application. The user must open a malicious DCM file for exploitation.
MicroDicom DICOM Viewer is vulnerable to an out-of-bounds write which may allow an attacker to execute arbitrary code. The user must open a malicious DCM file for exploitation.
ALBEDO Telecom Net.Time - PTP/NTP clock (Serial No. NBC0081P) software release 1.4.4 is vulnerable to an insufficient session expiration vulnerability, which could permit an attacker to transmit passwords over unencrypted connections, resulting in the product becoming vulnerable to interception.
Vestel AC Charger version 3.75.0 contains a vulnerability that could enable an attacker to access files containing sensitive information, such as credentials which could be used to further compromise the device.
WGS-80HPT-V2 and WGS-4215-8T2S are missing authentication that could allow an attacker to create an administrator account without knowing any existing credentials.
UNI-NMS-Lite uses hard-coded credentials that could allow an unauthenticated attacker to read, manipulate and create entries in the managed database.
UNI-NMS-Lite uses hard-coded credentials that could allow an unauthenticated attacker to gain administrative privileges to all UNI-NMS managed devices.
WGS-80HPT-V2 and WGS-4215-8T2S are vulnerable to a command injection attack that could allow an unauthenticated attacker to execute OS commands on the host system.
UNI-NMS-Lite is vulnerable to a command injection attack that could allow an unauthenticated attacker to read or manipulate device data.
Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.
Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users).
Unauthenticated attackers can rename "rooms" of arbitrary users.
Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account.
Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users.
Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users.
Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off).
An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API.
Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal.
An attacker can upload an arbitrary file instead of a plant image.
An attacker can export other users' plant information.
An unauthenticated attacker can hijack other users' devices and potentially control them.
An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs.
An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID.
An unauthenticated attacker can obtain EV charger energy consumption information of other users.
An unauthenticated attacker can obtain other users' charger information.
Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers).
Unauthenticated attackers can query an API endpoint and get device details.
An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms").
Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes").
Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms").
An attacker can change registered email addresses of other users and take over arbitrary accounts.
An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner's username.
An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request.
An unauthenticated attacker can infer the existence of usernames in the system by querying an API.
An unauthenticated attacker can obtain a list of smart devices by knowing a valid username.
An unauthenticated attacker can obtain a user's plant list by knowing the username.
An authenticated attacker can obtain any plant name by knowing the plant ID.
An unauthenticated attacker can check the existence of usernames in the system by querying an API.
An authenticated attacker can achieve stored XSS by exploiting improper sanitization of the plant name value while adding or editing a plant.
An attacker could modify or disable settings, disrupt fuel monitoring and supply chain operations, leading to disabling of ATG monitoring. This would result in potential safety hazards in fuel storage and transportation.
Subnet Solutions PowerSYSTEM Center is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the API may trigger an exception, resulting in a denial-of-service condition.
Subnet Solutions PowerSYSTEM Center's SMTPS notification service can be affected by importing an EC certificate with crafted F2m parameters, which can lead to excessive CPU consumption during the evaluation of the curve parameters.
Santesoft Sante DICOM Viewer Pro is vulnerable to an out-of-bounds write, which requires a user to open a malicious DCM file, resulting in execution of arbitrary code by a local attacker.
A token is created using the username, current date/time, and a fixed AES-128 encryption key, which is the same across all installations.
A flaw exists in the Windows login flow where an AuthContext token can be exploited for replay attacks and authentication bypass.
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. *** Duplicate of CVE-2025-22880 ***
Path traversal may lead to arbitrary file deletion. The score without least privilege principle violation is as calculated below. In combination with other issues it may facilitate further compromise of the device. Remediation in Version 6.8.0, release date: 01-Mar-25.