CVEs (30)
CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS |
|---|
An unauthenticated attacker can obtain a list of smart devices by knowing a valid username. |
An unauthenticated attacker can check the existence of usernames in the system by querying an API. |
An unauthenticated attacker can obtain a user's plant list by knowing the username. |
Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes"). |
An authenticated attacker can achieve stored XSS by exploiting improper sanitization of the plant name value while adding or editing a plant. |
An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner's username. |
An attacker can change registered email addresses of other users and take over arbitrary accounts. |
Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms"). |
An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request. |
An unauthenticated attacker can infer the existence of usernames in the system by querying an API. |