Vendor CVEs
Logitech
All CVEs
27 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-0620 | Hig | 0.51 | 7.8 | 0.01 | Jul 26, 2018 | Untrusted search path vulnerability in LOGICOOL Game Software versions before 8.87.116 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | ||
| CVE-2026-43049 | Hig | 0.44 | 7.8 | 0.00 | May 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failure Presently, if the force feedback initialisation fails when probing the Logitech G920 Driving Force Racing Wheel for Xbox… | ||
| CVE-2017-15687 | Med | 0.43 | 6.1 | 0.01 | Oct 23, 2017 | DOM Based Cross Site Scripting (XSS) exists in Logitech Media Server 7.7.1, 7.7.2, 7.7.3, 7.7.5, 7.7.6, 7.9.0, and 7.9.1 via a crafted URI. | ||
| CVE-2016-6257 | Med | 0.42 | 6.5 | 0.01 | Aug 2, 2016 | The firmware in Lenovo Ultraslim dongles, as used with Lenovo Liteon SK-8861, Ultraslim Wireless, and Silver Silk keyboards and Liteon ZTM600 and Ultraslim Wireless mice, does not enforce incrementing AES counters, which allows remote attackers to inject encrypted keyboard input… | ||
| CVE-2017-16568 | Med | 0.38 | 5.4 | 0.02 | Nov 10, 2017 | Persistent Cross-Site Scripting (XSS) vulnerability in Logitech Media Server 7.9.0, affecting the "Radio" functionality. This vulnerability allows attackers to inject malicious JavaScript payloads, which become permanently stored on the server and execute when a user plays the… | ||
| CVE-2017-16567 | Med | 0.38 | 5.4 | 0.02 | Nov 10, 2017 | Persistent Cross-Site Scripting (XSS) vulnerability in Logitech Media Server 7.9.0, affecting the "Favorites" feature. This vulnerability allows remote attackers to inject and permanently store malicious JavaScript payloads, which are executed when users access the affected… | ||
| CVE-2024-4031 | Med | 0.29 | 4.4 | 0.00 | Apr 23, 2024 | Unquoted Search Path or Element vulnerability in Logitech MEVO WEBCAM APP on Windows allows Local Execution of Code. | ||
| CVE-2007-2918 | 0.06 | — | 0.34 | Jun 1, 2007 | Multiple stack-based buffer overflows in ActiveX controls (1) VibeC in (a) vibecontrol.dll, (2) CallManager and (3) ViewerClient in (b) StarClient.dll, (4) ComLink in (c) uicomlink.dll, and (5) WebCamXMP in (d) wcamxmp.dll in Logitech VideoCall allow remote attackers to cause a… | |||
| CVE-2018-15723 | 0.01 | — | 0.04 | Dec 20, 2018 | The Logitech Harmony Hub before version 4.15.206 is vulnerable to application level command injection via crafted HTTP request. An unauthenticated remote attacker can leverage this vulnerability to execute application defined commands (e.g. harmony.system?systeminfo). | |||
| CVE-2008-0956 | 0.01 | — | 0.08 | Jun 12, 2008 | Multiple stack-based buffer overflows in the BackWeb Lite Install Runner ActiveX control in the BackWeb Web Package ActiveX object in LiteInstActivator.dll in BackWeb before 8.1.1.87, as used in Logitech Desktop Manager (LDM) before 2.56, allow remote attackers to execute… | |||
| CVE-2024-8258 | 0.00 | — | 0.00 | Sep 10, 2024 | Improper Control of Generation of Code ('Code Injection') in Electron Fuses in Logitech Options Plus version 1.60.496306 on macOS allows attackers to execute arbitrary code via insecure Electron Fuses configuration. | |||
| CVE-2024-8011 | 0.00 | — | 0.00 | Aug 25, 2024 | Logitech Options+ on MacOS prior 1.72 allows a local attacker to inject dynamic library within Options+ runtime and abuse permissions granted by the user to Options+ such as Camera. | |||
| CVE-2024-2537 | 0.00 | — | 0.00 | Mar 15, 2024 | Improper Control of Dynamically-Managed Code Resources vulnerability in Logitech Logi Tune on MacOS allows Local Code Inclusion. | |||
| CVE-2022-0916 | 0.00 | — | 0.00 | May 3, 2022 | An issue was discovered in Logitech Options. The OAuth 2.0 state parameter was not properly validated. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations. | |||
| CVE-2021-38547 | 0.00 | — | 0.01 | Aug 11, 2021 | Logitech Z120 and S120 speakers through 2021-08-09 allow remote attackers to recover speech signals from an LED on the device, via a telescope and an electro-optical sensor, aka a "Glowworm" attack. The power indicator LED of the speakers is connected directly to the power line,… | |||
| CVE-2019-13055 | 0.00 | — | 0.01 | Jun 29, 2019 | Certain Logitech Unifying devices allow attackers to dump AES keys and addresses, leading to the capability of live decryption of Radio Frequency transmissions, as demonstrated by an attack against a Logitech K360 keyboard. | |||
| CVE-2019-13054 | 0.00 | — | 0.01 | Jun 29, 2019 | The Logitech R500 presentation clicker allows attackers to determine the AES key, leading to keystroke injection. On Windows, any text may be injected by using ALT+NUMPAD input to bypass the restriction on the characters A through Z. | |||
| CVE-2019-13053 | 0.00 | — | 0.01 | Jun 29, 2019 | Logitech Unifying devices allow keystroke injection, bypassing encryption. The attacker must press a "magic" key combination while sniffing cryptographic data from a Radio Frequency transmission. NOTE: this issue exists because of an incomplete fix for CVE-2016-10761. | |||
| CVE-2016-10761 | 0.00 | — | 0.01 | Jun 29, 2019 | Logitech Unifying devices before 2016-02-26 allow keystroke injection, bypassing encryption, aka MouseJack. | |||
| CVE-2019-13052 | 0.00 | — | 0.01 | Jun 29, 2019 | Logitech Unifying devices allow live decryption if the pairing of a keyboard to a receiver is sniffed. | |||
| CVE-2019-12506 | 0.00 | — | 0.01 | Jun 7, 2019 | Due to unencrypted and unauthenticated data communication, the wireless presenter Logitech R700 Laser Presentation Remote R-R0010 is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install… | |||
| CVE-2018-15721 | 0.00 | — | 0.02 | Dec 20, 2018 | The XMPP server in Logitech Harmony Hub before version 4.15.206 is vulnerable to authentication bypass via a crafted XMPP request. Remote attackers can use this vulnerability to gain access to the local API. | |||
| CVE-2018-15720 | 0.00 | — | 0.01 | Dec 20, 2018 | Logitech Harmony Hub before version 4.15.206 contained two hard-coded accounts in the XMPP server that gave remote users access to the local API. | |||
| CVE-2018-15722 | 0.00 | — | 0.02 | Dec 20, 2018 | The Logitech Harmony Hub before version 4.15.206 is vulnerable to OS command injection via the time update request. A remote server or man in the middle can inject OS commands with a properly formatted response. | |||
| CVE-2012-1250 | 0.00 | — | 0.06 | Jun 4, 2012 | Logitec LAN-W300N/R routers with firmware before 2.27 do not properly restrict login access, which allows remote attackers to obtain administrative privileges and modify settings via vectors related to PPPoE authentication. | |||
| CVE-2002-1722 | 0.00 | — | 0.00 | Dec 31, 2002 | Logitech iTouch keyboards allows attackers with physical access to the system to bypass the screen locking function and execute user-defined commands that have been assigned to a button. | |||
| CVE-2001-0737 | 0.00 | — | 0.02 | Oct 18, 2001 | A long 'synch' delay in Logitech wireless mice and keyboard receivers allows a remote attacker to hijack connections via a man-in-the-middle attack. |
- risk 0.51cvss 7.8epss 0.01
Untrusted search path vulnerability in LOGICOOL Game Software versions before 8.87.116 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failure Presently, if the force feedback initialisation fails when probing the Logitech G920 Driving Force Racing Wheel for Xbox…
- risk 0.43cvss 6.1epss 0.01
DOM Based Cross Site Scripting (XSS) exists in Logitech Media Server 7.7.1, 7.7.2, 7.7.3, 7.7.5, 7.7.6, 7.9.0, and 7.9.1 via a crafted URI.
- risk 0.42cvss 6.5epss 0.01
The firmware in Lenovo Ultraslim dongles, as used with Lenovo Liteon SK-8861, Ultraslim Wireless, and Silver Silk keyboards and Liteon ZTM600 and Ultraslim Wireless mice, does not enforce incrementing AES counters, which allows remote attackers to inject encrypted keyboard input…
- risk 0.38cvss 5.4epss 0.02
Persistent Cross-Site Scripting (XSS) vulnerability in Logitech Media Server 7.9.0, affecting the "Radio" functionality. This vulnerability allows attackers to inject malicious JavaScript payloads, which become permanently stored on the server and execute when a user plays the…
- risk 0.38cvss 5.4epss 0.02
Persistent Cross-Site Scripting (XSS) vulnerability in Logitech Media Server 7.9.0, affecting the "Favorites" feature. This vulnerability allows remote attackers to inject and permanently store malicious JavaScript payloads, which are executed when users access the affected…
- risk 0.29cvss 4.4epss 0.00
Unquoted Search Path or Element vulnerability in Logitech MEVO WEBCAM APP on Windows allows Local Execution of Code.
- CVE-2007-2918Jun 1, 2007risk 0.06cvss —epss 0.34
Multiple stack-based buffer overflows in ActiveX controls (1) VibeC in (a) vibecontrol.dll, (2) CallManager and (3) ViewerClient in (b) StarClient.dll, (4) ComLink in (c) uicomlink.dll, and (5) WebCamXMP in (d) wcamxmp.dll in Logitech VideoCall allow remote attackers to cause a…
- CVE-2018-15723Dec 20, 2018risk 0.01cvss —epss 0.04
The Logitech Harmony Hub before version 4.15.206 is vulnerable to application level command injection via crafted HTTP request. An unauthenticated remote attacker can leverage this vulnerability to execute application defined commands (e.g. harmony.system?systeminfo).
- CVE-2008-0956Jun 12, 2008risk 0.01cvss —epss 0.08
Multiple stack-based buffer overflows in the BackWeb Lite Install Runner ActiveX control in the BackWeb Web Package ActiveX object in LiteInstActivator.dll in BackWeb before 8.1.1.87, as used in Logitech Desktop Manager (LDM) before 2.56, allow remote attackers to execute…
- CVE-2024-8258Sep 10, 2024risk 0.00cvss —epss 0.00
Improper Control of Generation of Code ('Code Injection') in Electron Fuses in Logitech Options Plus version 1.60.496306 on macOS allows attackers to execute arbitrary code via insecure Electron Fuses configuration.
- CVE-2024-8011Aug 25, 2024risk 0.00cvss —epss 0.00
Logitech Options+ on MacOS prior 1.72 allows a local attacker to inject dynamic library within Options+ runtime and abuse permissions granted by the user to Options+ such as Camera.
- CVE-2024-2537Mar 15, 2024risk 0.00cvss —epss 0.00
Improper Control of Dynamically-Managed Code Resources vulnerability in Logitech Logi Tune on MacOS allows Local Code Inclusion.
- CVE-2022-0916May 3, 2022risk 0.00cvss —epss 0.00
An issue was discovered in Logitech Options. The OAuth 2.0 state parameter was not properly validated. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations.
- CVE-2021-38547Aug 11, 2021risk 0.00cvss —epss 0.01
Logitech Z120 and S120 speakers through 2021-08-09 allow remote attackers to recover speech signals from an LED on the device, via a telescope and an electro-optical sensor, aka a "Glowworm" attack. The power indicator LED of the speakers is connected directly to the power line,…
- CVE-2019-13055Jun 29, 2019risk 0.00cvss —epss 0.01
Certain Logitech Unifying devices allow attackers to dump AES keys and addresses, leading to the capability of live decryption of Radio Frequency transmissions, as demonstrated by an attack against a Logitech K360 keyboard.
- CVE-2019-13054Jun 29, 2019risk 0.00cvss —epss 0.01
The Logitech R500 presentation clicker allows attackers to determine the AES key, leading to keystroke injection. On Windows, any text may be injected by using ALT+NUMPAD input to bypass the restriction on the characters A through Z.
- CVE-2019-13053Jun 29, 2019risk 0.00cvss —epss 0.01
Logitech Unifying devices allow keystroke injection, bypassing encryption. The attacker must press a "magic" key combination while sniffing cryptographic data from a Radio Frequency transmission. NOTE: this issue exists because of an incomplete fix for CVE-2016-10761.
- CVE-2016-10761Jun 29, 2019risk 0.00cvss —epss 0.01
Logitech Unifying devices before 2016-02-26 allow keystroke injection, bypassing encryption, aka MouseJack.
- CVE-2019-13052Jun 29, 2019risk 0.00cvss —epss 0.01
Logitech Unifying devices allow live decryption if the pairing of a keyboard to a receiver is sniffed.
- CVE-2019-12506Jun 7, 2019risk 0.00cvss —epss 0.01
Due to unencrypted and unauthenticated data communication, the wireless presenter Logitech R700 Laser Presentation Remote R-R0010 is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install…
- CVE-2018-15721Dec 20, 2018risk 0.00cvss —epss 0.02
The XMPP server in Logitech Harmony Hub before version 4.15.206 is vulnerable to authentication bypass via a crafted XMPP request. Remote attackers can use this vulnerability to gain access to the local API.
- CVE-2018-15720Dec 20, 2018risk 0.00cvss —epss 0.01
Logitech Harmony Hub before version 4.15.206 contained two hard-coded accounts in the XMPP server that gave remote users access to the local API.
- CVE-2018-15722Dec 20, 2018risk 0.00cvss —epss 0.02
The Logitech Harmony Hub before version 4.15.206 is vulnerable to OS command injection via the time update request. A remote server or man in the middle can inject OS commands with a properly formatted response.
- CVE-2012-1250Jun 4, 2012risk 0.00cvss —epss 0.06
Logitec LAN-W300N/R routers with firmware before 2.27 do not properly restrict login access, which allows remote attackers to obtain administrative privileges and modify settings via vectors related to PPPoE authentication.
- CVE-2002-1722Dec 31, 2002risk 0.00cvss —epss 0.00
Logitech iTouch keyboards allows attackers with physical access to the system to bypass the screen locking function and execute user-defined commands that have been assigned to a button.
- CVE-2001-0737Oct 18, 2001risk 0.00cvss —epss 0.02
A long 'synch' delay in Logitech wireless mice and keyboard receivers allows a remote attacker to hijack connections via a man-in-the-middle attack.