7.1
CVE-2019-25253 - KYOCERA Net Admin 3.4.0906 Unauthenticated XML External Entity Injection
KYOCERA Net Admin 3.4.0906 contains an XML External Entity (XXE) injection vulnerability in the Multi-Set Template Editor that allows unauthenticated attackers to read arbitrary system files. Attackers can craft a malicious XML file with external entity references to retrieve sensitive configuratioโฆ
5.1
CVE-2019-25252 - Teradek VidiU Pro 3.0.3 Cross-Site Request Forgery via Password Change
Teradek VidiU Pro 3.0.3 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft malicious web pages that automatically submit password change requests to the device when a logged-in administrโฆ
6.9
CVE-2019-25251 - Teradek VidiU Pro 3.0.3 Server-Side Request Forgery via RTMP Settings
Teradek VidiU Pro 3.0.3 contains a server-side request forgery vulnerability in the management interface that allows attackers to manipulate GET parameters 'url' and 'xml_url'. Attackers can exploit this flaw to bypass firewalls, initiate network enumeration, and potentially trigger external HTTP rโฆ
5.1
CVE-2019-25250 - Devolo dLAN 500 AV Wireless+ 3.1.0-1 Cross-Site Request Forgery
Devolo dLAN 500 AV Wireless+ 3.1.0-1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages that trigger unauthorized configuration changes by exploiting predictable URL aโฆ
8.7
CVE-2019-25249 - devolo dLAN 500 AV Wireless+ 3.1.0-1 Remote Code Execution via htmlmgr
devolo dLAN 500 AV Wireless+ 3.1.0-1 contains an authentication bypass vulnerability that allows attackers to enable hidden services through the htmlmgr CGI script. Attackers can enable telnet and remote shell services, reboot the device, and gain root access without a password by manipulating systโฆ
8.7
CVE-2019-25248 - Beward N100 M2.1.6 Unauthenticated RTSP Video Stream Disclosure
Beward N100 M2.1.6.04C014 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly retrieve the camera's RTSP stream by exploiting the lack of authentication in the video access mechanism.
5.1
CVE-2019-25247 - Beward N100 H.264 VGA IP Camera M2.1.6 CSRF Add Admin Vulnerability
Beward N100 H.264 VGA IP Camera M2.1.6 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft a malicious web page with a hidden form to add an admin user by tricking a logged-in user into suโฆ
7.1
CVE-2019-25246 - Beward N100 H.264 VGA IP Camera M2.1.6 Authenticated File Disclosure
Beward N100 H.264 VGA IP Camera M2.1.6 contains an authenticated file disclosure vulnerability that allows attackers to read arbitrary system files via the 'READ.filePath' parameter. Attackers can exploit the fileread script or SendCGICMD API to access sensitive files like /etc/passwd and /etc/issuโฆ
8.5
CVE-2019-25245 - Ross Video DashBoard 8.5.1 Privilege Escalation via Insecure Permissions
Ross Video DashBoard 8.5.1 contains an elevation of privileges vulnerability that allows authenticated users to modify executable files due to improper permission settings. Attackers can exploit the 'M' or 'C' flags for 'Authenticated Users' group to replace the DashBoard.exe binary with a maliciouโฆ
5.1
CVE-2019-25244 - Legrand BTicino Driver Manager F454 1.0.51 CSRF and Stored XSS Vulnerabilities
Legrand BTicino Driver Manager F454 1.0.51 contains multiple web vulnerabilities that allow attackers to perform administrative actions without proper request validation. Attackers can exploit cross-site request forgery to change passwords and inject stored cross-site scripting payloads through unvโฆ