GHSA-hrr2-8g8j-2h2hHighCVSS 8.8
A flaw in Naxclow's platform’s onboarding workflow allows an attacker to replay a confirm-then...
🔗 CVE IDs covered (1)
📋 Description
A flaw in Naxclow's platform’s onboarding workflow allows an attacker to replay a confirm-then-bind sequence to silently reassign a device to an arbitrary account. Because the affected endpoints validate request signatures but do not confirm legitimate ownership, an attacker with any account can take over a device without user interaction while the device remains online and unaware.