Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users.
Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users).
Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes").
An unauthenticated attacker can hijack other users' devices and potentially control them.
Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off).
Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms").
An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API.
An unauthenticated attacker can obtain a list of smart devices by knowing a valid username.
An unauthenticated device registration vulnerability, caused by Improperly Controlled Modification of Dynamically-Determined Object Attributes, has been identified in the MXsecurity Series. An unauthe
Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers).
Unauthenticated attackers can rename "rooms" of arbitrary users.
Unauthenticated attackers can query an API endpoint and get device details.
Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.
An unauthenticated attacker can obtain other users' charger information.
An unauthenticated remote attacker could use a demo account of the portal to hijack devices that were created in that account by mistake.
Affected devices do not properly enforce user authentication on specific API endpoints. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitima
An unauthenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of Cross-Site Request Forgery (CSRF) protection.
An unauthenticated remote attacker can exploit input validation in cmd services of the devices, allowing them to disrupt system operations and potentially cause a denial-of-service.
An unauthenticated remote attacker can access a URL which causes the device to reboot.
An unauthenticated remote attacker can run arbitrary commands on the affected devices with high privileges because the authentication for the Node_RED server is not configured by default.
Page 1+ Next →