Bosch: Security Vulnerabilities
The vulnerability allows an authenticated remote attacker to list arbitrary folders in all paths of the system under the context of the application OS user (“root”) via a crafted HTTP request.
By abusing this vulnerability, it is possible to steal session cookies of other active users.
CVSS Score
6.5
EPSS Score
0.003
Published
2024-01-10
The vulnerability allows a remote attacker to authenticate to the web application with high privileges through multiple hidden hard-coded accounts.
CVSS Score
8.1
EPSS Score
0.007
Published
2024-01-10
The vulnerability allows an unauthenticated remote attacker to upload arbitrary files under the context of the application OS user (“root”) via a crafted HTTP request.
CVSS Score
6.5
EPSS Score
0.004
Published
2024-01-10
The vulnerability allows a remote attacker to download arbitrary files in all paths of the system under the context of the application OS user (“root”) via a crafted HTTP request.
CVSS Score
6.5
EPSS Score
0.003
Published
2024-01-10
The vulnerability allows an unauthenticated remote attacker to read arbitrary files under the context of the application OS user (“root”) via a crafted HTTP request.
CVSS Score
5.3
EPSS Score
0.002
Published
2024-01-10
The vulnerability allows an authenticated remote attacker to upload a malicious file to the SD card containing arbitrary client-side script code and obtain its execution inside a victim’s session via a crafted URL, HTTP request, or simply by waiting for the victim to view the poisoned file.
CVSS Score
5.5
EPSS Score
0.001
Published
2024-01-10
The vulnerability allows an authenticated remote attacker to download arbitrary files in all paths of the system under the context of the application OS user (“root”) via a crafted HTTP request.
CVSS Score
6.5
EPSS Score
0.003
Published
2024-01-10
The vulnerability allows a remote attacker to upload arbitrary files in all paths of the system under the context of the application OS user (“root”) via a crafted HTTP request.
By abusing this vulnerability, it is possible to obtain remote code execution (RCE) with root privileges on the device.
CVSS Score
8.1
EPSS Score
0.021
Published
2024-01-10
The vulnerability allows a remote attacker to inject and execute arbitrary client-side script code inside a victim’s session via a crafted URL or HTTP request.
CVSS Score
5.3
EPSS Score
0.001
Published
2024-01-10
Network port 8899 open in WiFi firmware of BCC101/BCC102/BCC50 products, that allows an attacker to connect to the device via same WiFi network.
CVSS Score
8.3
EPSS Score
0.001
Published
2024-01-09