| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can edit swimlanes of a private project of another user. |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can add automatic actions to a private project of another user. |
| Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.8, 8.16.7, and 8.17.4, which were released on March 20th 2017 at 23:59 UTC. |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can add an internal link to a private project of another user. |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tags of a private project of another user. |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can edit columns of a private project of another user. |
| In Kanboard before 1.0.47, by altering form data, an authenticated user can remove categories from a private project of another user. |
| An issue in ZKTeko BioTime v.8.5.4 and before allows a remote attacker to obtain sensitive information via the Authentication & Authorization component |
| The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification. |
| The main MiCODUS MV720 GPS tracker web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter “Device ID,” which accepts arbitrary device IDs. |
| An unauthenticated attacker can check the existence of usernames in the system by querying an API. |
| An unauthenticated attacker can obtain a user's plant list by knowing the username. |
| An unauthenticated attacker can obtain a list of smart devices by knowing a valid username. |
| An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request. |
| An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner's username. |
| An attacker can change registered email addresses of other users and take over arbitrary accounts. |
| Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms"). |
| Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes"). |
| An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms"). |
| Unauthenticated attackers can query an API endpoint and get device details. |
