CloudView NMS before 2.10a allows remote attackers to obtain sensitive information via a direct request for admin/auto.def.

CloudView NMS before 2.10a has XSS via a TELNET login.

OSRAM SYLVANIA Osram Lightify Pro through 2016-07-26 does not use SSL pinning.

OSRAM SYLVANIA Osram Lightify Pro before 2016-07-26 has XSS in the username field and Wireless Client Mode configuration page.

OSRAM SYLVANIA Osram Lightify Pro before 2016-07-26 uses only 8 hex digits for a PSK.

Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 allow Embedded_Ace_Set_Task.cgi command injection.

OSRAM SYLVANIA Osram Lightify Pro through 2016-07-26 allows Zigbee replay.

OSRAM SYLVANIA Osram Lightify Pro before 2016-07-26 allows attackers to obtain sensitive information by reading screenshots under /private/var/mobile/Containers/Data/Application.

Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 do not require authentication for Embedded_Ace_Get_Task.cgi requests.

Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 have weak passwords for admin, rauser, sconsole, and user.