Security
Headlines
HeadlinesLatestCVEs

Headline

ECOA Building Automation System Cross-Site Request Forgery

The Building Automation System / SmartHome allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. These actions can be exploited to perform any CRUD operation like user creation, alarm shutdown and account password change with administrative privileges if a logged-in user visits a malicious web site.

Zero Science Lab

Related news

CVE-2021-42763: Alerts | Couchbase

Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The issue occurs when the cluster manager forwards a HTTP request from the pluggable UI (query workbench etc) to the specific service. In the backtrace, the Basic Auth Header included in the HTTP request, has the "@" user credentials of the node processing the UI request.

CVE-2020-24930: wuzhicms v4.1.0 Any file deletion vulnerability exists in the background · Issue #191 · wuzhicms/wuzhicms

Beijing Wuzhi Internet Technology Co., Ltd. Wuzhi CMS 4.0.1 is an open source content management system. The five fingers CMS backend in***.php file has arbitrary file deletion vulnerability. Attackers can use vulnerabilities to delete arbitrary files.