| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| An open redirect vulnerability in the administrative interface of the B. Braun Melsungen AG SpaceCom device Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to redirect users to malicious websites. |
| An improper verification of the cryptographic signature of firmware updates of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to generate valid firmware updates with arbitrary content that can be used to tamper with devices. |
| A vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to recover user credentials of the administrative interface. |
| Hard-coded credentials in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enable attackers with command line access to access the device’s Wi-Fi module. |
| OSIsoft PI Vision 2020 versions prior to 3.5.0 could disclose information to a user with insufficient privileges for an AF attribute. |
| Automated Logic's WebCtrl Server Version 6.1 'Help' index pages are vulnerable to open redirection. The vulnerability allows an attacker to send a maliciously crafted URL which could result in redirecting the user to a malicious webpage or downloading a malicious file. |
| The affected product is vulnerable to a network-based attack by threat actors supplying a crafted, malicious XML payload designed to trigger an external entity reference call. |
| The setup program for the affected product configures its files and folders with full access, which may allow unauthorized users permission to replace original binaries and achieve privilege escalation. |
| The affected product is vulnerable to misconfigured binaries, allowing users on the target PC with SYSTEM level privileges access to overwrite the binary and modify files to gain privilege escalation. |
| The affected product is vulnerable to a network-based attack by threat actors sending unimpeded requests to the receiving server, which could cause a denial-of-service condition due to lack of heap memory resources. |
| The affected product is vulnerable to a network-based attack by threat actors utilizing crafted naming conventions of files to gain unauthorized access rights. |
| A malicious actor having access to the exported configuration file may obtain the stored credentials and thereby gain access to the protected resource. If the same passwords were used for other resources, further such assets may be compromised. |
| Hills ComNav version 3002-19 suffers from a weak communication channel. Traffic across the local network for the configuration pages can be viewed by a malicious actor. The size of certain communications packets are predictable. This would allow an attacker to learn the state of the system if they can observe the traffic. This would be possible even if the traffic were encrypted, e.g., using WPA2, as the packet sizes would remain observable. The communication encryption scheme is theoretically sound, but is not strong enough for the level of protection required. |
| There is no limit to the number of attempts to authenticate for the local configuration pages for the Hills ComNav Version 3002-19 interface, which allows local attackers to brute-force credentials. |
| All versions of Uffizio GPS Tracker may allow an attacker to perform unintended actions on behalf of a user. |
| An attacker may be able to inject client-side JavaScript code on multiple instances within all versions of Uffizio GPS Tracker. |
| Elcomplus SmartPTT is vulnerable as the backup and restore system does not adequately validate download requests, enabling malicious users to perform path traversal attacks and potentially download arbitrary files from the system. |
| Elcomplus SmartPTT is vulnerable as the backup and restore system does not adequately validate upload requests, enabling a malicious user to potentially upload arbitrary files. |
| Elcomplus SmartPTT SCADA Server web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. |
| Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerChart.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands. |
