Security Vulnerabilities - CVEs Published In March 2025
SOPlanning 1.53.00 is vulnerable to a directory traversal issue in /process/upload.php. The "fichier_to_delete" parameter allows authenticated attackers to specify file paths containing directory traversal sequences (e.g., ../). This vulnerability enables attackers to delete arbitrary files outside the intended upload directory, potentially leading to denial of service or disruption of application functionality.
CVSS Score
6.5
EPSS Score
0.004
Published
2025-03-18
An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Hardcoded Credentials exist in the APK for Ports 9091 and 9092. The dashcam's Android application contains hardcoded credentials that allow unauthorized access to device settings through ports 9091 and 9092. These credentials, stored in cleartext, can be exploited by an attacker who gains access to the dashcam's network.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-03-18
An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Bypassing of Device Pairing can occur. The pairing mechanism relies solely on the connecting device's MAC address. By obtaining the MAC address through network scanning and spoofing it, an attacker can bypass the authentication process and gain full access to the dashcam's features without proper authorization.
CVSS Score
9.1
EPSS Score
0.001
Published
2025-03-18
An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Default Credentials Cannot Be Changed. It uses a fixed default SSID and password ("qwertyuiop"), which cannot be modified by users. The SSID is continuously broadcast, allowing unauthorized access to the device network.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-03-18
An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Remotely Dumping of Video Footage and the Live Video Stream can occur. It allows remote attackers to access and download recorded video footage from the SD card via port 9091. Additionally, attackers can connect to port 9092 to stream the live video feed by bypassing the challenge-response authentication mechanism. This exposes sensitive location and personal data.
CVSS Score
7.5
EPSS Score
0.002
Published
2025-03-18
An issue was discovered on the Forvia Hella HELLA Driving Recorder DR 820. Managing Settings and Obtaining Sensitive Data and Sabotaging the Car Battery can be performed by unauthorized parties. After bypassing the device pairing, an attacker can obtain sensitive user and vehicle information through the settings interface. Remote attackers can modify power management settings, disable recording, delete stored footage, and turn off battery protection, leading to potential denial-of-service conditions and vehicle battery drainage.
CVSS Score
7.3
EPSS Score
0.001
Published
2025-03-18
yimioa before v2024.07.04 was discovered to contain a SQL injection vulnerability via the listNameBySql() method at /xml/UserMapper.xml.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-03-18
Incorrect access control in the component /config/WebSecurityConfig.java of yimioa before v2024.07.04 allows unauthorized attackers to arbitrarily modify Administrator passwords.
CVSS Score
7.3
EPSS Score
0.0
Published
2025-03-18
yimioa before v2024.07.04 was discovered to contain a SQL injection vulnerability via the component /mapper/xml/AddressDao.xml.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-03-18
IBM QRadar Advisor 1.0.0 through 2.6.5 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
CVSS Score
4.1
EPSS Score
0.0
Published
2025-03-18