Mb Connect Line Mbconnect24 vulnerabilities
63 known vulnerabilities affecting mb_connect_line/mbconnect24.
Total CVEs
63
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH28MEDIUM33
Vulnerabilities
Page 3 of 4
CVE-2026-40844P3MEDIUMCVSS 6.5≥ 0.0.0, ≤ 2.20.0v2.20.02026-05-27
CVE-2026-40844 [MEDIUM] CWE-89 CVE-2026-40844: An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dashboard view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
nvd
CVE-2021-34575P3HIGHCVSS 7.5≥ 2.8.0, ≤ 2.8.02021-08-02
CVE-2021-34575 [HIGH] CWE-203 CVE-2021-34575: In MB connect line mymbCONNECT24, mbCONNECT24 in versions <= 2.8.0 an unauthenticated user can enume
In MB connect line mymbCONNECT24, mbCONNECT24 in versions <= 2.8.0 an unauthenticated user can enumerate valid users by checking what kind of response the server sends.
nvd
CVE-2024-45273P3HIGHCVSS 7.8≥ 0.0.0, ≤ 2.16.22024-10-15
CVE-2024-45273 [HIGH] CWE-261 CVE-2024-45273: An unauthenticated local attacker can decrypt the devices config file and therefore compromise the d
An unauthenticated local attacker can decrypt the devices config file and therefore compromise the device due to a weak implementation of the encryption used.
nvd
CVE-2021-34580P3HIGHCVSS 7.5≥ 2.9.0, ≤ 2.9.02021-10-27
CVE-2021-34580 [HIGH] CWE-204 CVE-2021-34580: In mymbCONNECT24, mbCONNECT24 <= 2.9.0 an unauthenticated user can enumerate valid backend users by
In mymbCONNECT24, mbCONNECT24 <= 2.9.0 an unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts.
nvd
CVE-2020-12528P3HIGHCVSS 7.7≥ 2.6.2, ≤ 2.6.22021-03-02
CVE-2020-12528 [HIGH] CWE-269 CVE-2020-12528: An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions th
An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. Improper use of access validation allows a logged in user to kill web2go sessions in the account he should not have access to.
nvd
CVE-2026-40829P3MEDIUMCVSS 5.5≥ 0.0.0, ≤ 2.20.0v2.20.02026-05-27
CVE-2026-40829 [MEDIUM] CWE-89 CVE-2026-40829: A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the view.html.php files UpdateParam function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality a
nvd
CVE-2026-40828P3MEDIUMCVSS 5.5≥ 0.0.0, ≤ 2.20.0v2.20.02026-05-27
CVE-2026-40828 [MEDIUM] CWE-89 CVE-2026-40828: A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DeleteSysLogEntry function due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can result in a total loss of confidentiality and some loss
nvd
CVE-2026-40830P3MEDIUMCVSS 5.5≥ 0.0.0, ≤ 2.20.0v2.20.02026-05-27
CVE-2026-40830 [MEDIUM] CWE-89 CVE-2026-40830: A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the admin.mbnetj.php files UpdateParam function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentialit
nvd
CVE-2026-40827P3MEDIUMCVSS 5.5≥ 0.0.0, ≤ 2.20.0v2.20.02026-05-27
CVE-2026-40827 [MEDIUM] CWE-89 CVE-2026-40827: A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _RemoveRequest function due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can result in a total loss of confidentiality and some loss of
nvd
CVE-2026-40824P3MEDIUMCVSS 5.5≥ 0.0.0, ≤ 2.20.0v2.20.02026-05-27
CVE-2026-40824 [MEDIUM] CWE-89 CVE-2026-40824: A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view userid parameter due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and so
nvd
CVE-2026-40823P3MEDIUMCVSS 5.5≥ 0.0.0, ≤ 2.20.0v2.20.02026-05-27
CVE-2026-40823 [MEDIUM] CWE-89 CVE-2026-40823: A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DevSerialReset function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of i
nvd
CVE-2026-40825P3MEDIUMCVSS 5.5≥ 0.0.0, ≤ 2.20.0v2.20.02026-05-27
CVE-2026-40825 [MEDIUM] CWE-89 CVE-2026-40825: A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view devices parameter due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and s
nvd
CVE-2026-33617P4MEDIUMCVSS 5.3≥ 0.0.0, ≤ 2.19.42026-04-02
CVE-2026-33617 [MEDIUM] CWE-497 CVE-2026-33617: An unauthenticated remote attacker can access a configuration file containing database credentials.
An unauthenticated remote attacker can access a configuration file containing database credentials. This can result in a some loss of confidentiality, but there is no endpoint exposed to use these credentials.
nvd
CVE-2026-40826P4MEDIUMCVSS 4.9≥ 0.0.0, ≤ 2.20.0v2.20.02026-05-27
CVE-2026-40826 [MEDIUM] CWE-89 CVE-2026-40826: A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dsgvo_contracts view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
nvd
CVE-2026-40821P4MEDIUMCVSS 4.9≥ 0.0.0, ≤ 2.20.0v2.20.02026-05-27
CVE-2026-40821 [MEDIUM] CWE-89 CVE-2026-40821: A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAccountByID function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
nvd
CVE-2026-40822P4MEDIUMCVSS 4.9≥ 0.0.0, ≤ 2.20.0v2.20.02026-05-27
CVE-2026-40822 [MEDIUM] CWE-89 CVE-2026-40822: A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DevSerialReset function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
nvd
CVE-2020-12527P4MEDIUMCVSS 6.5≥ 2.6.2, ≤ 2.11.22021-03-02
CVE-2020-12527 [MEDIUM] CWE-269 CVE-2020-12527: An issue was discovered in MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX
An issue was discovered in MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2. Improper access validation allows a logged in user to shutdown or reboot devices in his account without having corresponding permissions.
nvd
CVE-2024-23942P4HIGHCVSS 7.1fixed in 2.16.22025-03-18
CVE-2024-23942 [HIGH] CWE-312 CVE-2024-23942: A local user may find a configuration file on the client workstation with unencrypted sensitive data
A local user may find a configuration file on the client workstation with unencrypted sensitive data. This allows an attacker to impersonate the device or prevent the device from accessing the cloud portal which leads to a DoS.
nvd
CVE-2022-22520P4MEDIUMCVSS 5.3≥ 2, ≤ 2.11.22022-09-14
CVE-2022-22520 [MEDIUM] CWE-204 CVE-2022-22520: A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the web
A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2.
nvd
CVE-2020-12529P4MEDIUMCVSS 5.3≥ 2.6.2, ≤ 2.6.22021-03-02
CVE-2020-12529 [MEDIUM] CWE-918 CVE-2020-12529: An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions th
An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2 There is a SSRF in the LDAP access check, allowing an attacker to scan for open ports.
nvd