Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Bosch Subscribe
Total 70 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-47648 1 Bosch 2 B420, B420 Firmware 2023-03-07 N/A 8.8 HIGH
** UNSUPPORTED WHEN ASSIGNED ** Bosch Security Systems B420 firmware 02.02.0001 employs IP based authorization in its authentication mechanism, allowing attackers to access the device as long as they are on the same network as a legitimate user.
CVE-2019-11601 1 Bosch 2 Iot Gateway Software, Prosyst Mbs Sdk 2023-02-02 6.4 MEDIUM 7.5 HIGH
A directory traversal vulnerability in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to write or delete files at any location.
CVE-2019-6958 1 Bosch 16 Access Easy Controller, Access Easy Controller Firmware, Access Professional Edition and 13 more 2023-01-31 6.4 MEDIUM 9.1 CRITICAL
A recently discovered security vulnerability affects all Bosch Video Management System (BVMS) versions 9.0 and below, DIVAR IP 2000, 3000, 5000 and 7000, Configuration Manager, Building Integration System (BIS) with Video Engine, Access Professional Edition (APE), Access Easy Controller (AEC), Bosch Video Client (BVC) and Video SDK (VSDK). The RCP+ network port allows access without authentication. Adding authentication feature to the respective library fixes the issue. The issue is classified as "CWE-284: Improper Access Control." This vulnerability, for example, allows a potential attacker to delete video or read video data.
CVE-2019-6957 1 Bosch 18 Access Easy Controller, Access Easy Controller Firmware, Access Professional Edition and 15 more 2022-11-30 7.5 HIGH 9.8 CRITICAL
A recently discovered security vulnerability affects all Bosch Video Management System (BVMS) versions 9.0 and below, DIVAR IP 2000, 3000, 5000 and 7000, Video Recording Manager (VRM), Video Streaming Gateway (VSG), Configuration Manager, Building Integration System (BIS) with Video Engine, Access Professional Edition (APE), Access Easy Controller (AEC), Bosch Video Client (BVC) and Video SDK (VSDK). The vulnerability potentially allows the unauthorized execution of code in the system via the network interface.
CVE-2022-40184 1 Bosch 2 Videojet Multi 4000, Videojet Multi 4000 Firmware 2022-10-31 N/A 4.8 MEDIUM
Incomplete filtering of JavaScript code in different configuration fields of the web based interface of the VIDEOJET multi 4000 allows an attacker with administrative credentials to store JavaScript code which will be executed for all administrators accessing the same configuration option.
CVE-2022-40183 1 Bosch 2 Videojet Multi 4000, Videojet Multi 4000 Firmware 2022-10-31 N/A 4.7 MEDIUM
An error in the URL handler of the VIDEOJET multi 4000 may lead to a reflected cross site scripting (XSS) in the web-based interface. An attacker with knowledge of the encoder address can send a crafted link to a user, which will execute JavaScript code in the context of the user.
CVE-2016-4507 1 Bosch 1 Bladecontrol-webvis 2022-10-06 5.5 MEDIUM 6.4 MEDIUM
SQL injection vulnerability in Rexroth Bosch BLADEcontrol-WebVIS 3.0.2 and earlier allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
CVE-2016-4508 1 Bosch 1 Bladecontrol-webvis 2022-10-06 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in Rexroth Bosch BLADEcontrol-WebVIS 3.0.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2022-32540 1 Bosch 3 Bosch Video Management System, Videojet Decoder 7513, Videojet Decoder 7513 Firmware 2022-10-04 N/A 5.9 MEDIUM
Information Disclosure in Operator Client application in BVMS 10.1.1, 11.0 and 11.1.0 and VIDEOJET Decoder VJD-7513 versions 10.23 and 10.30 allows man-in-the-middle attacker to compromise confidential video stream. This is only applicable for UDP encryption when target system contains cameras with platform CPP13 or CPP14 and firmware version 8.x.
CVE-2021-23862 1 Bosch 8 Bosch Video Management System, Divar Ip 5000 Firmware, Divar Ip 7000 Firmware and 5 more 2022-08-30 9.0 HIGH 7.2 HIGH
A crafted configuration packet sent by an authenticated administrative user can be used to execute arbitrary commands in system context. This issue also affects installations of the VRM, DIVAR IP, BVMS with VRM installed, the VIDEOJET decoder (VJD-7513 and VJD-8000).
CVE-2021-23861 1 Bosch 4 Bosch Video Management System, Divar Ip 5000 Firmware, Divar Ip 7000 Firmware and 1 more 2022-08-30 5.5 MEDIUM 6.5 MEDIUM
By executing a special command, an user with administrative rights can get access to extended debug functionality on the VRM allowing an impact on integrity or availability of the installed software. This issue also affects installations of the DIVAR IP and BVMS with VRM installed.
CVE-2021-23858 1 Bosch 24 Indracontrol Xlc, Indracontrol Xlc Firmware, Rexroth Indramotion Mlc L20 and 21 more 2022-08-30 7.8 HIGH 7.5 HIGH
Information disclosure: The main configuration, including users and their hashed passwords, is exposed by an unprotected web server resource and can be accessed without authentication. Additionally, device details are exposed which include the serial number and the firmware version by another unprotected web server resource.
CVE-2021-23857 1 Bosch 24 Rexroth Indramotion Mlc L20, Rexroth Indramotion Mlc L20 Firmware, Rexroth Indramotion Mlc L25 and 21 more 2022-08-30 10.0 HIGH 9.8 CRITICAL
Login with hash: The login routine allows the client to log in to the system not by using the password, but by using the hash of the password. Combined with CVE-2021-23858, this allows an attacker to subsequently login to the system.
CVE-2021-23855 1 Bosch 4 Rexroth Indramotion Mlc, Rexroth Indramotion Mlc Firmware, Rexroth Indramotion Xlc and 1 more 2022-08-30 5.0 MEDIUM 7.5 HIGH
The user and password data base is exposed by an unprotected web server resource. Passwords are hashed with a weak hashing algorithm and therefore allow an attacker to determine the password by using rainbow tables.
CVE-2022-36302 1 Bosch 1 Bf-os 2022-08-08 N/A 5.4 MEDIUM
File path manipulation vulnerability in BF-OS version 3.00 up to and including 3.83 allows an attacker to modify the file path to access different resources, which may contain sensitive information.
CVE-2022-36301 1 Bosch 1 Bf-os 2022-08-08 N/A 7.5 HIGH
BF-OS version 3.x up to and including 3.83 do not enforce strong passwords which may allow a remote attacker to brute-force the device password.
CVE-2022-32534 1 Bosch 2 Pra-es8p2s, Pra-es8p2s Firmware 2022-07-01 10.0 HIGH 9.8 CRITICAL
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 and earlier was found to be vulnerable to command injection through its diagnostics web interface. This allows execution of shell commands.
CVE-2022-32535 1 Bosch 2 Pra-es8p2s, Pra-es8p2s Firmware 2022-07-01 10.0 HIGH 9.8 CRITICAL
The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 runs its web server with root privilege. In combination with CVE-2022-23534 this could give an attacker root access to the switch.
CVE-2022-32536 1 Bosch 2 Pra-es8p2s, Pra-es8p2s Firmware 2022-07-01 9.0 HIGH 8.8 HIGH
The user access rights validation in the web server of the Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 was insufficient. This would allow a non-administrator user to obtain administrator user access rights.
CVE-2021-23851 1 Bosch 136 Autodome 7000, Autodome 7000 Firmware, Autodome Ip 4000 Hd and 133 more 2022-04-08 6.5 MEDIUM 7.2 HIGH
A specially crafted TCP/IP packet may cause the camera recovery image web interface to crash. It may also cause a buffer overflow which could enable remote code execution. The recovery image can only be booted with administrative rights or with physical access to the camera and allows the upload of a new firmware in case of a damaged firmware.