Total
856 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-31945 | 2025-04-16 | 5.3 Medium | ||
| An unauthenticated attacker can obtain other users' charger information. | ||||
| CVE-2025-31950 | 2025-04-16 | 5.3 Medium | ||
| An unauthenticated attacker can obtain EV charger energy consumption information of other users. | ||||
| CVE-2025-27575 | 2025-04-16 | 5.3 Medium | ||
| An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID. | ||||
| CVE-2025-27565 | 2025-04-16 | 5.3 Medium | ||
| An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs. | ||||
| CVE-2025-25276 | 2025-04-16 | 5.3 Medium | ||
| An unauthenticated attacker can hijack other users' devices and potentially control them. | ||||
| CVE-2025-31360 | 2025-04-16 | 6.5 Medium | ||
| Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users. | ||||
| CVE-2025-31147 | 2025-04-16 | 5.3 Medium | ||
| Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users. | ||||
| CVE-2025-24487 | 2025-04-16 | 5.3 Medium | ||
| An unauthenticated attacker can infer the existence of usernames in the system by querying an API. | ||||
| CVE-2025-24850 | 2025-04-16 | 5.3 Medium | ||
| An attacker can export other users' plant information. | ||||
| CVE-2025-27927 | 2025-04-16 | 5.3 Medium | ||
| An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API. | ||||
| CVE-2025-27561 | 2025-04-16 | 5.3 Medium | ||
| Unauthenticated attackers can rename "rooms" of arbitrary users. | ||||
| CVE-2025-24315 | 2025-04-16 | 5.3 Medium | ||
| Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users). | ||||
| CVE-2025-27929 | 2025-04-16 | 5.3 Medium | ||
| Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts. | ||||
| CVE-2022-31683 | 1 Pivotal Software | 1 Concourse | 2025-04-16 | 5.4 Medium |
| Concourse (7.x.y prior to 7.8.3 and 6.x.y prior to 6.7.9) contains an authorization bypass issue. A Concourse user can send a request with body including :team_name=team2 to bypass team scope check to gain access to certain resources belong to any other team. | ||||
| CVE-2025-30257 | 2025-04-16 | 5.3 Medium | ||
| Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account. | ||||
| CVE-2025-31949 | 2025-04-16 | 5.3 Medium | ||
| An authenticated attacker can obtain any plant name by knowing the plant ID. | ||||
| CVE-2025-26977 | 1 Ninjateam | 1 Filebird | 2025-04-15 | 3.8 Low |
| Authorization Bypass Through User-Controlled Key vulnerability in Ninja Team Filebird allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Filebird: from n/a through 6.4.2.1. | ||||
| CVE-2025-3574 | 2025-04-15 | N/A | ||
| Insecure Direct Object Reference vulnerability in Deporsite from T-INNOVA allows an attacker to retrieve sensitive information from others users via "idUsuario" parameter in "/helper/Familia/obtenerFamiliaUsuario" endpoint. | ||||
| CVE-2025-3575 | 2025-04-15 | N/A | ||
| Insecure Direct Object Reference vulnerability in Deporsite from T-INNOVA allows an attacker to retrieve sensitive information from others users via "idUsuario" parameter in "/helper/Familia/establecerUsuarioSeleccion" endpoint. | ||||
| CVE-2025-3282 | 2025-04-15 | 5.3 Medium | ||
| The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.3 via the user_registration_membership_register_member() due to missing validation on the 'membership_id' user controlled key. This makes it possible for unauthenticated attackers to update any user's membership to any other active or non-active membership type. | ||||