An unauthenticated attacker can obtain a user's plant list by knowing the username.
An authenticated attacker can obtain any plant name by knowing the plant ID.
An unauthenticated attacker can obtain a list of smart devices by knowing a valid username.
An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API.
An attacker can export other users' plant information.
An unauthenticated attacker can infer the existence of usernames in the system by querying an API.
Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.
An unauthenticated attacker can check the existence of usernames in the system by querying an API.
An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request.
An unauthenticated attacker can obtain other users' charger information.
An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner's username.
Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms").
Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account.
An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs.
Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes").
Unauthenticated attackers can rename "rooms" of arbitrary users.
An unauthenticated remote attacker can enumerate valid user names from an unprotected endpoint.
Unauthenticated attackers can query an API endpoint and get device details.
An unauthenticated attacker can hijack other users' devices and potentially control them.
An attacker can upload an arbitrary file instead of a plant image.
Page 1+ Next →