Carlosgavazzi
Products
10- 11 CVEs
- 11 CVEs
- 3 CVEs
- 3 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
Recent CVEs
17| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-5145 | Cri | 0.65 | 10.0 | 0.01 | Feb 13, 2017 | An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17. Successful exploitation of this CROSS-SITE REQUEST FORGERY (CSRF) vulnerability can allow execution of unauthorized actions on the device such as… | ||
| CVE-2017-5144 | Cri | 0.64 | 9.8 | 0.02 | Feb 13, 2017 | An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17. The access control flaw allows access to most application functions without authentication. | ||
| CVE-2017-5146 | Hig | 0.52 | 7.5 | 0.09 | Feb 13, 2017 | An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17. Sensitive information is stored in clear-text. | ||
| CVE-2017-20184 | 0.00 | — | 0.03 | May 4, 2023 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Carlo Gavazzi Powersoft up to version 2.1.1.1 allows an unauthenticated, remote attacker to download any file from the affected device. | |||
| CVE-2022-28816 | 0.00 | — | 0.00 | Sep 28, 2022 | In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy is prone to reflected XSS which only affects the Sentilo service. | |||
| CVE-2022-28815 | 0.00 | — | 0.00 | Sep 28, 2022 | In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy server was discovered to contain a SQL injection vulnerability allowing an attacker to query other tables of the Sentilo service. | |||
| CVE-2022-28814 | 0.00 | — | 0.01 | Sep 28, 2022 | Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 was discovered to be vulnerable to a relative path traversal vulnerability which enables remote attackers to read arbitrary files and gain full control of the device. | |||
| CVE-2022-28812 | 0.00 | — | 0.01 | Sep 28, 2022 | In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of hard-coded credentials to gain SuperUser access to the device. | |||
| CVE-2022-28811 | 0.00 | — | 0.01 | Sep 28, 2022 | In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could utilize an improper input validation on an API-submitted parameter to execute arbitrary OS commands. | |||
| CVE-2022-22526 | 0.00 | — | 0.01 | Sep 28, 2022 | In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a missing authentication allows for full access via API. | |||
| CVE-2022-22525 | 0.00 | — | 0.01 | Sep 28, 2022 | In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 an remote attacker with admin rights could execute arbitrary commands due to missing input sanitization in the backup restore function | |||
| CVE-2022-22524 | 0.00 | — | 0.01 | Sep 28, 2022 | In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 an unauthenticated remote attacker could utilize a SQL-Injection vulnerability to gain full database access, modify users and stop services . | |||
| CVE-2022-22523 | 0.00 | — | 0.01 | Sep 28, 2022 | An improper authentication vulnerability exists in the Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 Web-App which allows an authentication bypass to the context of an unauthorised user if free-access is disabled. | |||
| CVE-2022-22522 | 0.00 | — | 0.01 | Sep 28, 2022 | In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of hard-coded credentials to gain full access to the device. | |||
| CVE-2022-28813 | 0.00 | — | 0.01 | Sep 28, 2022 | In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of an SQL-injection to gain access to a volatile temporary database with the current states of the device. | |||
| CVE-2012-6428 | 0.00 | — | 0.01 | Dec 23, 2012 | The Carlo Gavazzi EOS-Box stores hard-coded passwords in the PHP file of the device. By using the hard-coded passwords, attackers can log into the device with administrative privileges. This could allow the attacker to have unauthorized access. | |||
| CVE-2012-6427 | 0.00 | — | 0.01 | Dec 23, 2012 | The Carlo Gavazzi EOS-Box does not check the validity of the data before executing queries. By accessing the SQL table of certain pages that do not require authentication, attackers can leak information from the device. This could allow the attacker to compromise… |
- risk 0.65cvss 10.0epss 0.01
An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17. Successful exploitation of this CROSS-SITE REQUEST FORGERY (CSRF) vulnerability can allow execution of unauthorized actions on the device such as…
- risk 0.64cvss 9.8epss 0.02
An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17. The access control flaw allows access to most application functions without authentication.
- risk 0.52cvss 7.5epss 0.09
An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17. Sensitive information is stored in clear-text.
- CVE-2017-20184May 4, 2023risk 0.00cvss —epss 0.03
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Carlo Gavazzi Powersoft up to version 2.1.1.1 allows an unauthenticated, remote attacker to download any file from the affected device.
- CVE-2022-28816Sep 28, 2022risk 0.00cvss —epss 0.00
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy is prone to reflected XSS which only affects the Sentilo service.
- CVE-2022-28815Sep 28, 2022risk 0.00cvss —epss 0.00
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy server was discovered to contain a SQL injection vulnerability allowing an attacker to query other tables of the Sentilo service.
- CVE-2022-28814Sep 28, 2022risk 0.00cvss —epss 0.01
Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 was discovered to be vulnerable to a relative path traversal vulnerability which enables remote attackers to read arbitrary files and gain full control of the device.
- CVE-2022-28812Sep 28, 2022risk 0.00cvss —epss 0.01
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of hard-coded credentials to gain SuperUser access to the device.
- CVE-2022-28811Sep 28, 2022risk 0.00cvss —epss 0.01
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could utilize an improper input validation on an API-submitted parameter to execute arbitrary OS commands.
- CVE-2022-22526Sep 28, 2022risk 0.00cvss —epss 0.01
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a missing authentication allows for full access via API.
- CVE-2022-22525Sep 28, 2022risk 0.00cvss —epss 0.01
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 an remote attacker with admin rights could execute arbitrary commands due to missing input sanitization in the backup restore function
- CVE-2022-22524Sep 28, 2022risk 0.00cvss —epss 0.01
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 an unauthenticated remote attacker could utilize a SQL-Injection vulnerability to gain full database access, modify users and stop services .
- CVE-2022-22523Sep 28, 2022risk 0.00cvss —epss 0.01
An improper authentication vulnerability exists in the Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 Web-App which allows an authentication bypass to the context of an unauthorised user if free-access is disabled.
- CVE-2022-22522Sep 28, 2022risk 0.00cvss —epss 0.01
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of hard-coded credentials to gain full access to the device.
- CVE-2022-28813Sep 28, 2022risk 0.00cvss —epss 0.01
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of an SQL-injection to gain access to a volatile temporary database with the current states of the device.
- CVE-2012-6428Dec 23, 2012risk 0.00cvss —epss 0.01
The Carlo Gavazzi EOS-Box stores hard-coded passwords in the PHP file of the device. By using the hard-coded passwords, attackers can log into the device with administrative privileges. This could allow the attacker to have unauthorized access.
- CVE-2012-6427Dec 23, 2012risk 0.00cvss —epss 0.01
The Carlo Gavazzi EOS-Box does not check the validity of the data before executing queries. By accessing the SQL table of certain pages that do not require authentication, attackers can leak information from the device. This could allow the attacker to compromise…