Malik Makkes

**Name of the Vulnerable Software and Affected Versions** MAXHUB Pivot client versions prior to 1.36.2 **Description** An issue in the application allows an attacker to obtain encrypted tenant email addresses and related metadata from any tenant. Because a hardcoded AES key (Advanced Encryption Standard, a symmetric encryption algorithm) is present within the application, this encrypted data can be decrypted to reveal email addresses and associated information in cleartext. Additionally, an attacker can cause a denial-of-service condition by enrolling multiple unauthorized devices into a tenant via MQTT (Message Queuing Telemetry Transport, a lightweight messaging protocol), which may disrupt tenant operations. **Recommendations** Update to version 1.36.2 or later.

**Name of the Vulnerable Software and Affected Versions** Pivot client application (affected versions not specified) **Description** The password reset mechanism is weak and could allow an attacker to take over an account. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.