| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The application uses a weak password hash function, allowing an attacker to crack the weak password hash to gain access to an FTP user account. |
| The Media Server’s authorization tokens have a poor quality of randomness. An attacker may be able to guess the token of an active user by computing plausible tokens. |
| The backup ZIPs are not signed by the application, leading to the possibility that an attacker can download a backup ZIP, modify and re-upload it. This allows the attacker to disrupt the application by configuring the services in a way that they are unable to run, making the application unusable. They can redirect traffic that is meant to be internal to their own hosted services and gathering information. |
| The created backup files are unencrypted, making the application vulnerable for gathering sensitive information by downloading and decompressing the backup files. |
| An attacker may exploit missing protection against clickjacking by tricking users into performing unintended actions through maliciously crafted web pages, leading to the extraction of sensitive data. |
| An attacker with administrative access may inject malicious content into the login page, potentially enabling cross-site scripting (XSS) attacks, leading to the extraction of sensitive data. |
| The device's passwords have not been adequately salted, making them vulnerable to password extraction attacks. |
| An attacker may gain unauthorized access to the host filesystem, potentially allowing them to read and modify system data. |
| Uploading unvalidated container images may allow remote attackers to gain full access to the system, potentially compromising its integrity and confidentiality. |
| Certain system functions may be accessed without proper authorization, allowing attackers to start, stop, or delete installed applications, potentially disrupting system operations. |
| The device is deployed with weak and publicly known default passwords for certain hidden user levels, increasing the risk of unauthorized access. This represents a high risk to the integrity of the system. |
| Firmware update files may expose password hashes for system accounts, which could allow a remote attacker to recover credentials and gain unauthorized access to the device. |
| Improper validation of a login parameter may allow attackers to redirect users to malicious websites after authentication. This can lead to various risk including stealing credentials from unsuspecting users. |
| Improper handling of a URL parameter may allow attackers to execute code in a user's browser after login. This can lead to the extraction of sensitive data. |
| An attacker with limited permissions may still be able to write files to specific locations on the device, potentially leading to system manipulation. |
| An attacker with low privileges may be able to read files from specific directories on the device, potentially exposing sensitive information. |
| An attacker with low privileges may be able to trigger critical system functions such as reboot or factory reset without proper restrictions, potentially leading to service disruption or loss of configuration. |
| Improper input handling in a system endpoint may allow attackers to overload resources, causing a denial of service. |
| The system is deployed in its default state, with configuration settings that do not comply with the latest best practices for restricting access. This increases the risk of unauthorised connections. |
| A remote unauthenticated attacker may use the unauthenticated C++ API to access or modify sensitive data and disrupt services. |
