VARIoT IoT vulnerabilities database

An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered a Document Object Model (DOM) based cross-site scripting vulnerability in versions prior to 2.6.6 that could allow JavaScript code to be executed in the user's web browser if a specially crafted link is visited. The JavaScript code is executed on the user's system, not executed on LXCA itself. Lenovo XClarity Administrator (LXCA) Exists in a cross-site scripting vulnerability.Information may be obtained and tampered with. Lenovo XClarity Administrator (LXCA) is a set of centralized resource management solutions of China Lenovo (Lenovo). The product provides agentless hardware management capabilities for servers, storage, network switches, and more

An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.6.6 that could allow information disclosure. Lenovo XClarity Administrator (LXCA) is a set of centralized resource management solutions of China Lenovo (Lenovo). The product provides agentless hardware management capabilities for servers, storage, network switches, and more. An attacker could exploit this vulnerability to obtain information

An information disclosure vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.6.6 that could allow unauthenticated access to some configuration files which may contain usernames, license keys, IP addresses, and encrypted password hashes. Lenovo XClarity Administrator (LXCA) There is an information leakage vulnerability in.Information may be obtained. Lenovo XClarity Administrator (LXCA) is a set of centralized resource management solutions of China Lenovo (Lenovo). The product provides agentless hardware management capabilities for servers, storage, network switches, and more

Lexmark printer MS812 and multiple older generation Lexmark devices have a stored XSS vulnerability in the embedded web server. The vulnerability can be exploited to expose session credentials and other information via the users web browser. plural Lexmark The product contains a cross-site scripting vulnerability.Information may be obtained and tampered with. Lexmark printers is a printer product from Lexmark. Lexmark printer MS812 and multiple previous series printers have cross-site scripting vulnerabilities. The vulnerability stems from the lack of proper validation of client data by web applications. An attacker could use this vulnerability to execute client code

MobileIron VSP < 5.9.1 and Sentry < 5.0 has an insecure encryption scheme. MobileIron VSP and Sentry There is a cryptographic strength vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state

An issue was discovered on Askey AP4000W TDC_V1.01.003 devices. An attacker can perform Remote Code Execution (RCE) by sending a specially crafted network packer to the bd_svr service listening on TCP port 54188. Askey AP4000W The device contains an input verification vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Askey AP4000W is an AP device from Askey Computer. There are security vulnerabilities in Askey AP4000W TDC_V1.01.003. The vulnerability originates from the process of constructing a code snippet from external input data, and a network system or product fails to properly filter special elements therein

A stack-based buffer overflow was found on the D-Link DIR-842 REVC with firmware v3.13B09 HOTFIX due to the use of strcpy for LOGINPASSWORD when handling a POST request to the /MTFWU endpoint. D-Link DIR-842 REVC Is vulnerable to out-of-bounds writes.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. D-Link DIR-842 REVC is a wireless router from Taiwan D-Link Corporation. The vulnerability originates from a network system or product that incorrectly validates data boundaries when performing operations on memory, causing incorrect read and write operations to be performed on other associated memory locations. An attacker could use this vulnerability to cause a buffer overflow or heap overflow

Improper permissions in the installer for Intel(R) RWC3 for Windows before version 7.010.009.000 may allow an authenticated user to potentially enable escalation of privilege via local access. Windows for Intel(R) RWC3 There is a vulnerability in improper default permissions.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. There is a security vulnerability in the installer of Intel(R) RWC3 on Windows platform. A local attacker could exploit this vulnerability to elevate privileges

Improper permissions in the installer for Intel(R) RWC2, all versions, may allow an authenticated user to potentially enable escalation of privilege via local access. Intel(R) RWC2 There is a vulnerability in improper default permissions.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. A security vulnerability exists in the installer in Intel(R) RWC2. A local attacker could exploit this vulnerability to elevate privileges

Authentication bypass using an alternate path or channel in SimpliSafe SS3 firmware 1.4 allows a local, unauthenticated attacker to modify the Wi-Fi network the base station connects to. SimpliSafe SS3 There is an authentication vulnerability in the firmware.Information may be tampered with

A vulnerability has been identified in SIPORT MP (All versions < 3.1.4). Vulnerable versions of the device allow the creation of special accounts ("service users") with administrative privileges that could enable a remote authenticated attacker to perform actions that are not visible to other users of the system, such as granting persons access to a secured area. SIPORT is a comprehensive, modular and reliable system for access control and time management in the SSP Siveillance Access Suite. Siemens SIPORT MP has a security vulnerability that could allow an attacker to create a special account with administrative privileges

The Synergy Systems & Solutions PLC & RTU system has a vulnerability in HUSKY RTU 6049-E70 firmware versions 5.0 and prior. Specially crafted malicious packets could cause disconnection of active authentic connections or reboot of device. This is a different issue than CVE-2019-16879 and CVE-2019-20046. This vulnerability is CVE-2019-16879 , CVE-2019-20046 Is a different vulnerability.Service operation interruption (DoS) It may be put into a state

Under some circumstances the SAML SSO implementation in the SAP NetWeaver (SAP_BASIS versions 702, 730, 731, 740 and SAP ABAP Platform (SAP_BASIS versions 750, 751, 752, 753, 754), allows an attacker to include invalidated data in the HTTP response header sent to a Web user, leading to HTTP Response Splitting vulnerability. SAP NetWeaver and ABAP Platform There is an unspecified vulnerability in.Information may be tampered with

Under certain conditions ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), allows an authenticated attacker to store a malicious payload which results in Stored Cross Site Scripting vulnerability. SAP NetWeaver and SAP S/4HANA Exists in a cross-site scripting vulnerability.Information may be obtained and tampered with

A Memory Corruption Vulnerability exists in NVIDIA Graphics Drivers 29549 due to an unknown function in the file proc/driver/nvidia/registry. NVIDIA The graphics driver contains a vulnerability related to out-of-bounds writing.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state

Under certain conditions, ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), does not sufficiently encode user-controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability. SAP NetWeaver and SAP S/4HANA Exists in a cross-site scripting vulnerability.Information may be obtained and tampered with

Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C00; Secospace USG6600 and USG9500 versions V500R001C30SPC200, V500R001C30SPC600, V500R001C60SPC500, and V500R005C00 have a vulnerability that a memory management error exists when IPSec Module handing a specific message. This causes 1 byte out-of-bound read, compromising normal service. plural Huawei The product contains an out-of-bounds read vulnerability.Service operation interruption (DoS) It may be put into a state. Huawei USG9500 is a Huawei firewall device. A remote attacker can use this vulnerability to submit a special request that can cause the application to crash or restart

HUAWEI P30 smart phone with versions earlier than 10.1.0.135(C00E135R2P11) have an improper authentication vulnerability. Due to improper authentication of specific interface, in specific scenario attackers could access specific interface without authentication. Successful exploit could allow the attacker to perform unauthorized operations. HUAWEI P30 Smartphones contain authentication vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state

A memory leak vulnerability exists in Cisco IOS before 15.2(1)T due to a memory leak in the HTTP PROXY Server process (aka CSCtu52820), when configured with Cisco ISR Web Security with Cisco ScanSafe and User Authenticaiton NTLM configured. Cisco IOS Is vulnerable to a lack of resource release after a valid lifetime.Service operation interruption (DoS) It may be put into a state. Cisco IOS is an operating system developed by Cisco for its network equipment. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements

Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C00SPC100; and Secospace USG6600 and USG9500 versions V500R001C30SPC200, V500R001C30SPC600, V500R001C60SPC500, and V500R005C00SPC100 have an information leakage vulnerability. An attacker can exploit this vulnerability by sending specific request packets to affected devices. Successful exploit may lead to information leakage. Huawei NIP6800 , Secospace USG6600 , USG9500 Contains vulnerabilities related to improper shutdown and release of resources.Service operation interruption (DoS) It may be put into a state