Gjoko Krstic

**Name of the Vulnerable Software and Affected Versions** Honeywell IQ4x building management controller (affected versions not specified) **Description** The Honeywell IQ4x building management controller exposes its full web-based Human Machine Interface (HMI) without authentication in its factory-default configuration. When no user module is configured, security is disabled by design, and the system operates under a System Guest context, granting read/write privileges to anyone who can access the HTTP interface. Authentication is only enforced after a web user is created through the `U.htm` function, which dynamically enables the user module. Because this function is accessible before authentication, a remote user can create a new account with administrative read/write permissions, enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively prevent legitimate operators from accessing local and web-based configuration and administration. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tattile Smart+, Vega, and Basic device families versions 1.181.5 and prior **Description** The device families ship with default credentials that are not required to be changed during setup. An attacker reaching the management interface can use these default credentials to gain administrative access, potentially allowing unauthorized access to device configuration and data. **Recommendations** Change the default credentials on all affected devices.

**Name of the Vulnerable Software and Affected Versions** Tattile Smart+ versions prior to 1.181.6 Tattile Vega versions prior to 1.181.6 Tattile Basic versions prior to 1.181.6 **Description** The firmware on Tattile Smart+, Vega, and Basic device families, versions 1.181.5 and earlier, allows unauthorized access to Real Time Streaming Protocol (RTSP) streams. An attacker can connect to the RTSP service without providing valid credentials and access live video and audio feeds, leading to the disclosure of surveillance data. **Recommendations** Update Tattile Smart+ to a version later than 1.181.5. Update Tattile Vega to a version later than 1.181.5. Update Tattile Basic to a version later than 1.181.5.

**Name of the Vulnerable Software and Affected Versions** Tattile Smart+, Vega, and Basic device families versions 1.181.5 and prior **Description** The affected devices implement an authentication token (`X-User-Token`) with insufficient expiration. An attacker who obtains a valid token, for example through interception, log exposure, or token reuse on a shared system, can continue to authenticate to the management interface until the token is revoked. This enables unauthorized access to device functions and data. **Recommendations** Versions prior to 1.181.5 should be updated.

**Name of the Vulnerable Software and Affected Versions** eNet SMART HOME server versions 2.2.1 and 2.3.1 **Description** The eNet SMART HOME server is affected by a default credentials issue. The server ships with default credentials ('user:user', 'admin:admin') that remain active after installation and commissioning without requiring a password change. This allows unauthenticated attackers to gain administrative access to sensitive smart home configuration and control functions. **Recommendations** Change the default credentials for both the 'user' and 'admin' accounts immediately after installation and commissioning.

**Name of the Vulnerable Software and Affected Versions** eNet SMART HOME server versions 2.2.1 and 2.3.1 **Description** The eNet SMART HOME server is affected by a privilege escalation issue. Insufficient authorization checks within the `setUserGroup` JSON-RPC method allow a low-privileged user (UG USER) to elevate their account to the UG ADMIN group. This is achieved by sending a crafted POST request to the `/jsonrpc/management` API endpoint, specifying the user's own username. Successful exploitation grants administrative capabilities, including the ability to modify device configurations and network settings. **Recommendations** eNet SMART HOME server version 2.2.1: At the moment, there is no information about a newer version that contains a fix for this vulnerability. eNet SMART HOME server version 2.3.1: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** eNet SMART HOME server versions 2.2.1 through 2.3.1 **Description** The eNet SMART HOME server software has a flaw where authorization checks are absent in the `deleteUserAccount` JSON-RPC method. This allows a standard, authenticated user (UG USER) to remove other user accounts, with the exception of the built-in admin account. The application fails to implement role-based access control for this function. An attacker can send a specially crafted POST request to the `/jsonrpc/management` API endpoint, specifying a `username` to be deleted, without needing higher privileges or further confirmation. The vulnerable parameter is `username`. **Recommendations** eNet SMART HOME server version 2.2.1: Implement proper role-based access control for the `deleteUserAccount` function. eNet SMART HOME server version 2.3.1: Implement proper role-based access control for the `deleteUserAccount` function.

**Name of the Vulnerable Software and Affected Versions** eNet SMART HOME server versions 2.2.1 and 2.3.1 **Description** The software contains a missing authorization flaw in the `resetUserPassword` JSON-RPC method. An authenticated, low-privileged user (UG USER) can reset the passwords of any account, including those with UG ADMIN and UG SUPER ADMIN privileges, without knowing the current password. This is achieved by sending a specially crafted JSON-RPC request to the `/jsonrpc/management` API endpoint. Successful exploitation allows an attacker to overwrite existing credentials, leading to account takeover and full administrative access with persistent privilege escalation. **Recommendations** Update eNet SMART HOME server to a version beyond 2.3.1.

**Name of the Vulnerable Software and Affected Versions** JUNG Smart Visu Server version 1.1.1050 **Description** JUNG Smart Visu Server version 1.1.1050 contains a request header manipulation issue that allows unauthenticated attackers to override request URLs by injecting arbitrary values into the `X-Forwarded-Host` header. Attackers can manipulate proxied requests to generate tainted responses, potentially leading to cache poisoning, phishing, and redirection of users to malicious domains. The vulnerability involves improper neutralization of HTTP headers for scripting syntax. **Recommendations** Restrict access to the `X-Forwarded-Host` header to prevent manipulation.

**Name of the Vulnerable Software and Affected Versions** JUNG Smart Visu Server version 1.1.1050 **Description** JUNG Smart Visu Server version 1.1.1050 contains a denial of service condition. Unauthenticated attackers can remotely shutdown or reboot the server by sending a single POST request. No authentication is required to trigger the server reboot. **Recommendations** Update JUNG Smart Visu Server to a newer version that addresses this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JUNG Smart Panel KNX firmware versions prior to L1.12.22 **Description** The JUNG Smart Panel KNX firmware does not properly validate file path input in its embedded web interface. This allows remote, unauthenticated attackers to access arbitrary files on the underlying filesystem within the context of the web server. Successful exploitation may lead to the disclosure of system configuration files and other sensitive information. The vulnerable component is the embedded web interface. **Recommendations** Update the JUNG Smart Panel KNX firmware to a version later than L1.12.22.

**Name of the Vulnerable Software and Affected Versions** BACnet Test Server versions up to and including 1.01 **Description** BACnet Test Server is susceptible to a remote denial of service. The server does not correctly validate the BVLC Length field within incoming UDP BVLC frames on the default BACnet port (47808/udp). An unauthenticated remote attacker can send a crafted BVLC Length value, causing an access violation and application crash, leading to a denial of service. **Recommendations** Versions prior to 1.01 are vulnerable.

**Name of the Vulnerable Software and Affected Versions** Screen SFT DAB 600/C firmware versions up to and including 1.9.3 **Description** The Screen SFT DAB 600/C firmware has an issue with access control on the user management API. Unauthenticated requests can retrieve structured user data, including account names and connection metadata such as client IP and timeout values. The affected API endpoint is the user management API. The retrieved data includes `account names` and `client IP` addresses. **Recommendations** Update to a version later than 1.9.3.

**Name of the Vulnerable Software and Affected Versions** ReQuest Serious Play F3 Media Server versions 2.0.1.823 through 7.0.3.4968 **Description** The software contains a remote denial-of-service issue. An unauthenticated attacker can send a crafted HTTP GET request to shut down or reboot the device, leading to interruption of service availability. **Recommendations** Update to a version later than 7.0.3.4968. Update to a version later than 7.0.2.4954. Update to a version later than 6.5.2.4954. Update to a version later than 6.4.2.4681. Update to a version later than 6.3.2.4203. Update to a version later than 2.0.1.823.

**Name of the Vulnerable Software and Affected Versions** Longjing Technology BEMS API versions up to and including 1.21 **Description** The software contains an unauthenticated arbitrary file download issue in the 'downloads' endpoint. The `fileName` parameter lacks proper sanitization, enabling attackers to construct file traversal sequences and gain access to sensitive files outside the designated directory. **Recommendations** Apply updates to versions prior to 1.21.

**Name of the Vulnerable Software and Affected Versions** Tinycontrol LAN Controller versions up to 1.58a (hardware v3.8) **Description** The Tinycontrol LAN Controller v3 (LK3) firmware has a missing authentication check. An attacker who is not authenticated can send specially crafted requests to the `stm.cgi` API endpoint. This can force the device to reboot or restore factory settings, resulting in a denial of service and loss of configuration. The `stm.cgi` endpoint is vulnerable to unauthorized access. **Recommendations** Versions prior to 1.58a (hardware v3.8) should be updated.

**Name of the Vulnerable Software and Affected Versions** Ilevia EVE X1 Server firmware versions through 4.7.18.0.eden **Description** The software contains an execution with unnecessary privileges issue in the `sync project.sh` component. This allows an attacker to escalate privileges to root. The vendor has declined to service this issue and recommends not exposing port 8080 to the internet. **Recommendations** Do not expose port 8080 to the internet.

**Name of the Vulnerable Software and Affected Versions** Ilevia EVE X1 Server firmware versions through 4.7.18.0.eden **Description** The software contains an OS command injection issue in the `mbus build from csv.php` component. An unauthenticated attacker can execute arbitrary code. **Recommendations** Do not expose port 8080 to the internet.

**Name of the Vulnerable Software and Affected Versions** Ilevia EVE X1 Server firmware versions through 4.7.18.0.eden **Description** The software contains authenticated OS command injection flaws in several web-accessible PHP scripts. These scripts utilize the `exec()` function, enabling a verified attacker to run arbitrary commands. The vendor has chosen not to address this issue and advises against exposing port 8080 to the public internet. **Recommendations** Do not expose port 8080 to the internet.

**Name of the Vulnerable Software and Affected Versions** Ilevia EVE X1 Server firmware versions through 4.7.18.0.eden **Description** The software contains a use of default credentials issue that allows an unauthenticated attacker to obtain remote access. The vendor has declined to provide a service for this issue and recommends not exposing port 8080 to the internet. **Recommendations** Do not expose port 8080 to the internet.