CVE-2020-15331 Zyxel CloudCNM has a hardcoded OAUTH_SECRET_KEY in SecuManager 3.1.0 and 3.1.1.
This can be a problem when upgrading from version 3.0.x as the version 3.0.x shipped with a hardcoded OAUTH_SECRET_KEY
CVE-2022-22526 Gavazzi UWP3.0 and CPY Car Park Server 2.8.3 have missing authentication, which allows for full access via API.
To avoid this, you have to force authentication by adding a domain name and password to your API requests. For example: /v2/cars/{id}/drive/
CVE-2022-2860 In Chrome prior to 104.0.5112.101, insufficient policy enforcement allowed a remote attacker to bypass cookie prefix restrictions.
This issue was fixed by updating Google Chrome to version 104.0.2.
Redirect injection via extensions in Google Chrome prior to version 104.0.
CVE-2022-3119 The OAuth client plugin before 3.0.4 doesn't have authorization and CSRF, which could allow attackers to update the settings and change the OAuth endpoints.
when updating its settings, which could allow unauthenticated attackers to update them and change the OAuth endpoints to ones they controls, allowing them to then
CVE-2022-31679 An attacker can access HTTP PATCH requests to the REST API in 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older versions if they know the structure of the domain model.
For example, they can use this technique to cause a service to generate a new revision of a given entity every time an HTTP request
Episode
00:00:00
00:00:00