Security Vulnerabilities
A User enumeration vulnerability in the /CredentialsServlet/ForgotPassword endpoint in Silverpeas 6.4.1 and 6.4.2 allows remote attackers to determine valid usernames via the Login parameter.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-09-02
PHPGurukul Employee Leave Management System 2.1 contains an Insecure Direct Object Reference (IDOR) vulnerability in leave-details.php. An authenticated user can change the leaveid parameter in the URL to access leave application details of other users.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-09-02
rsbi-pom 4.7 is vulnerable to SQL Injection in the /bi/service/model/DatasetService path.
CVSS Score
9.8
EPSS Score
0.0
Published
2025-09-02
E3 Site Supervisor (firmware version < 2.31F01) has a default admin user "ONEDAY" with a daily generated password. An attacker can predictably generate the password for ONEDAY. The oneday user cannot be deleted or modified by any user.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-09-02
E3 Site Supervisor Control (firmware version < 2.31F01) has a floor plan feature that allows for an unauthenticated attacker to upload floor plan files. By uploading a specially crafted floor plan file, an attacker can inject a stored XSS to the floorplan web page.
CVSS Score
6.1
EPSS Score
0.001
Published
2025-09-02
E3 Site Supervisor Control (firmware version < 2.31F01) MGW contains an API call that lacks input validation. An attacker can use this command to continuously crash the application services.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-09-02
E3 Site Supervisor Control (firmware version < 2.31F01) contains a hidden API call in the application services that enables SSH and Shellinabox, which exist but are disabled by default. An attacker with admin access to the application services can utilize this API to enable remote access to the underlying OS.
CVSS Score
4.9
EPSS Score
0.0
Published
2025-09-02
E3 Site Supervisor Control (firmware version < 2.31F01) generates the root linux password on each boot. An attacker can generate the root linux password for a vulnerable device based on known or easy to fetch parameters.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-09-02
E3 Site Supervisor Control (firmware version < 2.31F01) firmware upgrade packages are unsigned. An attacker can forge malicious firmware upgrade packages. An attacker with admin access to the application services can install a malicious firmware upgrade.
CVSS Score
7.2
EPSS Score
0.0
Published
2025-09-02
E3 Site Supervisor Control (firmware version < 2.31F01) application services (MGW and RCI) uses client side hashing for authentication. An attacker can authenticate by obtaining only the password hash.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-09-02