6.4

CVSS3.1

CVE-2025-23227 - IBM Tivoli Application Dependency Discovery Manager cross-site scripting

IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.11 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials discl…

πŸ“… Published: Jan. 23, 2025, 5:19 p.m. πŸ”„ Last Modified: Aug. 15, 2025, 12:46 p.m.

7.6

CVSS3.1

CVE-2024-55926 - Arbitrary file upload, deletion and read through header manipulation

A vulnerability found in Xerox Workplace Suite allows arbitrary file read, upload, and deletion on the server through crafted header manipulation. By exploiting improper validation of headers, attackers can gain unauthorized access to data

πŸ“… Published: Jan. 23, 2025, 5:12 p.m. πŸ”„ Last Modified: Feb. 28, 2026, 1:20 a.m.

7.5

CVSS3.1

CVE-2024-55925 - API Security bypass through header manipulation

In Xerox Workplace Suite, an API restricted to specific hosts can be bypassed by manipulating the Host header. If the server improperly validates or trusts the Host header without verifying the actual destination, an attacker can forge a value to gain unauthorized access. This exploit targets impro…

πŸ“… Published: Jan. 23, 2025, 5:03 p.m. πŸ”„ Last Modified: Feb. 28, 2026, 1:19 a.m.

6

CVSS4.0

CVE-2024-52327 - ECOVACS lawnmower and vacuum cloud service live video PIN bypass

The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed.

πŸ“… Published: Jan. 23, 2025, 4:39 p.m. πŸ”„ Last Modified: Sept. 23, 2025, 5:34 p.m.

4.8

CVSS4.0

CVE-2024-12079 - ECOVACS lawnmowers cleartext storage of anti-theft PIN

ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism.

πŸ“… Published: Jan. 23, 2025, 4:39 p.m. πŸ”„ Last Modified: Sept. 23, 2025, 5:45 p.m.

5.3

CVSS4.0

CVE-2024-12078 - ECOVACS lawnmowers and vacuums static BLE GATT encryption key

ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key.

πŸ“… Published: Jan. 23, 2025, 4:38 p.m. πŸ”„ Last Modified: Sept. 23, 2025, 5:45 p.m.

7

CVSS4.0

CVE-2024-11147 - ECOVACS lawnmowers and vacuums deterministic root password

ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root.

πŸ“… Published: Jan. 23, 2025, 4:37 p.m. πŸ”„ Last Modified: Sept. 23, 2025, 5:44 p.m.

7.7

CVSS4.0

CVE-2024-52331 - ECOVACS lawnmowers and vacuums deterministic firmware encryption key

ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.

πŸ“… Published: Jan. 23, 2025, 4:37 p.m. πŸ”„ Last Modified: Oct. 2, 2025, 3:15 p.m.

9.5

CVSS4.0

CVE-2024-52330 - ECOVACS lawnmowers and vacuums do not properly validate TLS certificates

ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.

πŸ“… Published: Jan. 23, 2025, 4:36 p.m. πŸ”„ Last Modified: Sept. 23, 2025, 5:48 p.m.

9.5

CVSS4.0

CVE-2024-52329 - ECOVACS HOME mobile app plugins do not properly validate TLS certificates

ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens.

πŸ“… Published: Jan. 23, 2025, 4:36 p.m. πŸ”„ Last Modified: Sept. 23, 2025, 5:33 p.m.
Total resulsts: 349182
Page 6985 of 34,919
Β« previous page Β» next page
Filters