4.3
CVE-2024-12972 - XSS in Akinsoft's OctoCloud
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Akinsoft OctoCloud allows Cross-Site Scripting (XSS).This issue affects OctoCloud: from s1.09.01 before v1.11.01.
8.5
CVE-2025-46810 -
A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of openSUSE Tumbleweed traefik2 allows the traefik user to escalate to root.Β This issue affects Tumbleweed: from ? before 2.11.29.
9.3
CVE-2025-52551 - Proprietary protocol allows for unauthenticated file operations
E2 Facility Management Systems use a proprietary protocol that allows for unauthenticated file operations on any file in the file system.
8.6
CVE-2025-52550 - Firmware upgrade packages are unsigned
E3 Site Supervisor Control (firmware version < 2.31F01) firmware upgrade packages are unsigned. An attacker can forge malicious firmware upgrade packages. An attacker with admin access to the application services can install a malicious firmware upgrade.
9.2
CVE-2025-52549 - Predictable root linux password generation
E3 Site Supervisor Control (firmware version < 2.31F01) generates the root linux password on each boot. An attacker can generate the root linux password for a vulnerable device based on known or easy to fetch parameters.
6.9
CVE-2025-52548 - Enabling SSH and Shellinabox on the vulnerable machine
E3 Site Supervisor Control (firmware version < 2.31F01) contains a hidden API call in the application services that enables SSH and Shellinabox, which exist but are disabled by default. An attacker with admin access to the application services can utilize this API to enable remote access to the undβ¦
8.7
CVE-2025-52547 - DoS to the application services
E3 Site Supervisor Control (firmware version < 2.31F01) MGW contains an API call that lacks input validation. An attacker can use this command to continuously crash the application services.
5.1
CVE-2025-52546 - Stored XSS by uploading a specially crafted floor plan file
E3 Site Supervisor Control (firmware version < 2.31F01) has a floor plan feature that allows for an unauthenticated attacker to upload floor plan files. By uploading a specially crafted floor plan file, an attacker can inject a stored XSS to the floorplan web page.
7.7
CVE-2025-52545 - Privilege escalation in the application services
E3 Site Supervisor Control (firmware version < 2.31F01) RCI service contains an API call to read users info, which returns all usernames and password hashes for the application services.
8.8
CVE-2025-52544 - Arbitrary read file from the filesystem
E3 Site Supervisor Control (firmware version < 2.31F01) has a floor plan feature that allows for an unauthenticated attacker to upload floor plan files. By uploading a specially crafted floor plan file, an attacker can access any file from the E3 file system.