Vulnerabilities > Honeywell
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-03-24 | CVE-2020-7005 | Cross-Site Request Forgery (CSRF) vulnerability in Honeywell Win-Pak 4.7.2 In Honeywell WIN-PAK 4.7.2, Web and prior versions, the affected product is vulnerable to a cross-site request forgery, which may allow an attacker to remotely execute arbitrary code. | 6.8 |
| 2020-03-24 | CVE-2020-6972 | Authentication Bypass by Capture-replay vulnerability in Honeywell Notifier Webserver 3.50 In Notifier Web Server (NWS) Version 3.50 and earlier, the Honeywell Fire Web Server’s authentication may be bypassed by a capture-replay attack from a web browser. | 6.4 |
| 2020-02-20 | CVE-2020-6968 | Improper Privilege Management vulnerability in Honeywell Inncom Inncontrol Firmware 3.0/3.21 Honeywell INNCOM INNControl 3 allows workstation users to escalate application user privileges through the modification of local configuration files. | 4.6 |
| 2020-01-22 | CVE-2020-6960 | SQL Injection vulnerability in Honeywell products The following versions of MAXPRO VMS and NVR, MAXPRO VMS:HNMSWVMS prior to Version VMS560 Build 595 T2-Patch, HNMSWVMSLT prior to Version VMS560 Build 595 T2-Patch, MAXPRO NVR: MAXPRO NVR XE prior to Version NVR 5.6 Build 595 T2-Patch, MAXPRO NVR SE prior to Version NVR 5.6 Build 595 T2-Patch, MAXPRO NVR PE prior to Version NVR 5.6 Build 595 T2-Patch, and MPNVRSWXX prior to Version NVR 5.6 Build 595 T2-Patch contain an SQL injection vulnerability that could give an attacker remote unauthenticated access to the web user interface with administrator-level privileges. | 7.5 |
| 2020-01-22 | CVE-2020-6959 | Deserialization of Untrusted Data vulnerability in Honeywell products The following versions of MAXPRO VMS and NVR, MAXPRO VMS:HNMSWVMS prior to Version VMS560 Build 595 T2-Patch, HNMSWVMSLT prior to Version VMS560 Build 595 T2-Patch, MAXPRO NVR: MAXPRO NVR XE prior to Version NVR 5.6 Build 595 T2-Patch, MAXPRO NVR SE prior to Version NVR 5.6 Build 595 T2-Patch, MAXPRO NVR PE prior to Version NVR 5.6 Build 595 T2-Patch, and MPNVRSWXX prior to Version NVR 5.6 Build 595 T2-Patch are vulnerable to an unsafe deserialization of untrusted data. | 7.5 |
| 2019-10-31 | CVE-2019-18230 | Missing Authentication for Critical Function vulnerability in Honeywell products Honeywell equIP and Performance series IP cameras, multiple versions, A vulnerability exists where the affected product allows unauthenticated access to audio streaming over HTTP. | 5.0 |
| 2019-10-31 | CVE-2019-18228 | Improper Input Validation vulnerability in Honeywell products Honeywell equIP series IP cameras Multiple equIP Series Cameras, A vulnerability exists in the affected products where a specially crafted HTTP packet request could result in a denial of service. | 5.0 |
| 2019-10-31 | CVE-2019-18226 | Authentication Bypass by Capture-replay vulnerability in Honeywell products Honeywell equIP series and Performance series IP cameras and recorders, A vulnerability exists in the affected products where IP cameras and recorders have a potential replay attack vulnerability as a weak authentication method is retained for compatibility with legacy products. | 7.5 |
| 2019-10-25 | CVE-2019-13525 | Missing Authentication for Critical Function vulnerability in Honeywell Ip-Ak2 Firmware In IP-AK2 Access Control Panel Version 1.04.07 and prior, the integrated web server of the affected devices could allow remote attackers to obtain web configuration data, which can be accessed without authentication over the network. | 5.0 |
| 2019-09-26 | CVE-2019-13523 | Missing Authentication for Critical Function vulnerability in Honeywell products In Honeywell Performance IP Cameras and Performance NVRs, the integrated web server of the affected devices could allow remote attackers to obtain web configuration data in JSON format for IP cameras and NVRs (Network Video Recorders), which can be accessed without authentication over the network. | 5.0 |