Security Vulnerabilities
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 has a Global Store Directory that shares personal information among authenticated users.
CVSS Score
5.0
EPSS Score
0.0
Published
2025-10-17
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows a remote authenticated attacker to obtain a token with administrative privileges for the entire platform via the createToken GraphQL mutation.
CVSS Score
9.9
EPSS Score
0.001
Published
2025-10-17
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to review the stored audio of conversations between associates and Drive Thru customers.
CVSS Score
5.0
EPSS Score
0.001
Published
2025-10-17
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 provides the functionality of returning a JWT that can be used to call an API to return a signed AWS upload URL, for any store's path.
CVSS Score
5.0
EPSS Score
0.0
Published
2025-10-17
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to adjust Drive Thru speaker audio volume.
CVSS Score
6.4
EPSS Score
0.001
Published
2025-10-17
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 has an "Anyone Can Join This Party" signup API that does not verify user account creation, allowing a remote unauthenticated attacker to create a user account.
CVSS Score
5.8
EPSS Score
0.0
Published
2025-10-17
A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected by this issue is the function Download of the file /DeviceFileReport.do?Action=Download. Performing manipulation of the argument FilePath results in path traversal. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
4.3
EPSS Score
0.001
Published
2025-10-17
A vulnerability has been found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected by this vulnerability is the function Download of the file /Service.do?Action=Download. Such manipulation of the argument Path leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
4.3
EPSS Score
0.001
Published
2025-10-17
A vulnerability was detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. This impacts the function Query of the file /DeviceFault.do?Action=Query. The manipulation of the argument sortField results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
6.3
EPSS Score
0.0
Published
2025-10-17
A flaw has been found in Shenzhen Ruiming Technology Streamax Crocus 1.3.40. Affected is the function Query of the file /DeviceState.do?Action=Query. This manipulation of the argument orderField causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
6.3
EPSS Score
0.0
Published
2025-10-17