CVE-2025-31950

<= 3.6.0

An unauthenticated attacker can obtain EV charger energy consumption information of other users.

5.3MEDIUM

CVE-2025-31945

<= 3.6.0

An unauthenticated attacker can obtain other users' charger information.

5.3MEDIUM

CVE-2025-31654

<= 3.6.0

An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms").

5.3MEDIUM

CVE-2025-31360

<= 3.6.0

Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users.

6.5MEDIUM

CVE-2025-31147

<= 3.6.0

Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users.

5.3MEDIUM

CVE-2025-30512

<= 3.6.0

Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off).

6.5MEDIUM

CVE-2025-30510

<= 3.6.0

An attacker can upload an arbitrary file instead of a plant image.

9.8CRITICAL

CVE-2025-30257

<= 3.6.0

Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account.

5.3MEDIUM

CVE-2025-27929

<= 3.6.0

Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.

5.3MEDIUM

CVE-2025-27927

<= 3.6.0

An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API.

5.3MEDIUM

CVE-2025-27719

<= 3.6.0

Unauthenticated attackers can query an API endpoint and get device details.

5.3MEDIUM

CVE-2025-27575

<= 3.6.0

An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID.

5.3MEDIUM

CVE-2025-27565

<= 3.6.0

An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs.

5.3MEDIUM

CVE-2025-27561

<= 3.6.0

Unauthenticated attackers can rename "rooms" of arbitrary users.

5.3MEDIUM

CVE-2025-26857

<= 3.6.0

Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers).

5.3MEDIUM

CVE-2025-25276

<= 3.6.0

An unauthenticated attacker can hijack other users' devices and potentially control them.

5.3MEDIUM

CVE-2025-24850

<= 3.6.0

An attacker can export other users' plant information.

5.3MEDIUM

CVE-2025-24315

<= 3.6.0

Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users).

5.3MEDIUM

CVE-2025-24297

<= 3.6.0

Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web

9.8CRITICAL

CVE-2025-31949

<= 3.6.0

An authenticated attacker can obtain any plant name by knowing the plant ID.

5.3MEDIUM

CVE-2025-31941

<= 3.6.0

An unauthenticated attacker can obtain a list of smart devices by knowing a valid username.

5.3MEDIUM

CVE-2025-31933

<= 3.6.0

An unauthenticated attacker can check the existence of usernames in the system by querying an API.

5.3MEDIUM

CVE-2025-31357

<= 3.6.0

An unauthenticated attacker can obtain a user's plant list by knowing the username.

5.3MEDIUM

CVE-2025-30514

<= 3.6.0

Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes").

5.3MEDIUM

CVE-2025-30511

<= 3.6.0

An authenticated attacker can achieve stored XSS by exploiting improper sanitization of the plant name value while adding or editi

8.8HIGH

CVE-2025-30254

<= 3.6.0

An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner's username.

5.3MEDIUM

CVE-2025-27939

<= 3.6.0

An attacker can change registered email addresses of other users and take over arbitrary accounts.

7.5HIGH

CVE-2025-27938

<= 3.6.0

Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms").

5.3MEDIUM

CVE-2025-27568

<= 3.6.0

An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this un

5.3MEDIUM

CVE-2025-24487

<= 3.6.0

An unauthenticated attacker can infer the existence of usernames in the system by querying an API.

5.3MEDIUM

CVE-2014-3352

<= 2008.3

Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a sessio

CVE-2014-3351

all versions

Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) does not properly consider whether a session is a problematic NULL

CVE-2014-3350

all versions

Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) does not properly implement URL redirection, which allows remote a

CVE-2014-3349

all versions

Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) does not validate file types during the handling of file submissio

CVE-2014-3298

all versions

Form Data Viewer in Cisco Intelligent Automation for Cloud in Cisco Cloud Portal places passwords in form data, which allows remot

CVE-2014-3297

all versions

Cisco Intelligent Automation for Cloud in Cisco Cloud Portal does not properly restrict the content of MyServices action URLs, whi

CVE-2014-0694

<= 9.4.1

Intelligent Automation for Cloud (IAC) in Cisco Cloud Portal 9.4.1 and earlier includes a cryptographic key in binary files, which

CVE-2013-6708

all versions

Cisco Cloud Portal 9.4 allows remote attackers to read files of unspecified types via a direct request, aka Bug IDs CSCuj08426 and

CVE-2013-1139

all versions

The nsAPI interface in Cisco Cloud Portal 9.1 SP1 and SP2, and 9.3 through 9.3.2, does not properly check privileges, which allows