VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-202001-0381 CVE-2019-20213 D-Link DIR-859 Router Information Disclosure Vulnerability CVSS V2: 5.0
CVSS V3: 7.5
Severity: HIGH
D-Link DIR-859 routers before v1.07b03_beta allow Unauthenticated Information Disclosure via the AUTHORIZED_GROUP=1%0a value, as demonstrated by vpnconfig.php. D-Link DIR-859 is a wireless AC1750 high power Wi-Fi Gigabit router. Attackers can use this vulnerability to obtain information through AUTHORIZED_GROUP = 1% 0a
VAR-202001-0898 CVE-2020-1785 plural Huawei Vulnerability related to input validation in products CVSS V2: 7.1
CVSS V3: 5.5
Severity: MEDIUM
Mate 10 Pro;Honor V10;Honor 10;Nova 4 smartphones have a denial of service vulnerability. The system does not properly check the status of certain module during certain operations, an attacker should trick the user into installing a malicious application, successful exploit could cause reboot of the smartphone. plural Huawei The product contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Huawei Honor V10 and other products are products of Huawei of China. Huawei Honor V10 is a smartphone product. Huawei Honor 10 is a smartphone product. Mate 10 Pro is a smartphone
VAR-202001-0509 CVE-2019-19441 Huawei P30 Information Disclosure Vulnerability CVSS V2: 3.3
CVSS V3: 6.5
Severity: MEDIUM
HUAWEI P30 smart phones with versions earlier than 10.0.0.166(C00E66R1P11) have an information leak vulnerability. An attacker could send specific command in the local area network (LAN) to exploit this vulnerability. Successful exploitation may cause information leak. Huawei P30 Smartphones contain information disclosure vulnerabilities.Information may be obtained. The Huawei P30 is a smartphone from China's Huawei
VAR-202001-0500 CVE-2019-15999 Cisco Data Center Network Manager Vulnerable to unauthorized authentication CVSS V2: 4.0
CVSS V3: 6.3
Severity: MEDIUM
A vulnerability in the application environment of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to gain unauthorized access to the JBoss Enterprise Application Platform (JBoss EAP) on an affected device. The vulnerability is due to an incorrect configuration of the authentication settings on the JBoss EAP. An attacker could exploit this vulnerability by authenticating with a specific low-privilege account. A successful exploit could allow the attacker to gain unauthorized access to the JBoss EAP, which should be limited to internal system accounts. Cisco Data Center Network Manager (DCNM) Contains an incorrect authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions
VAR-202001-1006 CVE-2020-1871 USG9500 Vulnerable to insufficient protection of credentials CVSS V2: 6.4
CVSS V3: 8.2
Severity: HIGH
USG9500 with software of V500R001C30SPC100; V500R001C30SPC200; V500R001C30SPC600; V500R001C60SPC500; V500R005C00SPC100; V500R005C00SPC200 have an improper credentials management vulnerability. The software does not properly manage certain credentials. Successful exploit could cause information disclosure or damage, and impact the confidentiality or integrity. USG9500 Contains a vulnerability related to insufficient protection of credentials.Information may be obtained and information may be altered
VAR-201912-1871 No CVE Information disclosure vulnerability exists in Siemens KTP600PN touch screen CVSS V2: 2.1
CVSS V3: -
Severity: LOW
KTP600 is a set of touch screen based on Windows platform developed by Siemens, which is used to quickly construct and generate the configuration software system of the host computer monitoring system. An information disclosure vulnerability exists in the Siemens KTP600PN touch screen. Attackers can use this vulnerability to obtain sensitive information
VAR-201912-1012 CVE-2019-17621 D-Link DIR-859 Wi-Fi At the router OS Command injection vulnerability CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
The UPnP endpoint URL /gena.cgi in the D-Link DIR-859 Wi-Fi router 1.05 and 1.06B01 Beta01 allows an Unauthenticated remote attacker to execute system commands as root, by sending a specially crafted HTTP SUBSCRIBE request to the UPnP service when connecting to the local network. D-Link DIR-859 Wi-Fi The router has OS A command injection vulnerability exists.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. D-Link DIR-859 is a wireless router from Taiwan D-Link Corporation. A remote command execution vulnerability exists in DLINK's DIR-859 series routers. Attackers can use this vulnerability to execute arbitrary commands on target devices with root privileges
VAR-201912-1750 CVE-2018-7859 D-Link DGS-1510 Cross-site scripting vulnerability in series switch firmware CVSS V2: 4.3
CVSS V3: 6.1
Severity: MEDIUM
A security vulnerability in D-Link DGS-1510-series switches with firmware 1.20.011, 1.30.007, 1.31.B003 and older that may allow a remote attacker to inject malicious scripts in the device and execute commands via browser that is configuring the unit. D-Link DGS-1510 A cross-site scripting vulnerability exists in the firmware of the series switch.Information may be obtained and information may be altered. D-Link DGS-1510 is a DGS-1510 series switch of D-Link Corporation of China. There are security vulnerabilities in D-Link DGS-1510 using firmware 1.20.011, 1.30.007, and 1.31.B003 and earlier firmware
VAR-201912-0827 CVE-2019-7479 SonicOS and SonicOSv Vulnerabilities in authentication CVSS V2: 6.5
CVSS V3: 7.2
Severity: HIGH
A vulnerability in SonicOS allow authenticated read-only admin can elevate permissions to configuration mode. This vulnerability affected SonicOS Gen 5 version 5.9.1.12-4o and earlier, Gen 6 version 6.2.7.4-32n, 6.5.1.4-4n, 6.5.2.3-4n, 6.5.3.3-3n, 6.2.7.10-3n, 6.4.1.0-3n, 6.5.3.3-3n, 6.5.1.9-4n and SonicOSv 6.5.0.2-8v_RC363 (VMWARE), 6.5.0.2.8v_RC367 (AZURE), SonicOSv 6.5.0.2.8v_RC368 (AWS), SonicOSv 6.5.0.2.8v_RC366 (HYPER_V). SonicOS and SonicOSv Contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. SonicWall SonicOS is a set of operating system specially designed for SonicWall firewall equipment of SonicWall Company in the United States. An authorization issue vulnerability exists in SonicWall SonicOS due to the program not properly validating permissions. An attacker could exploit this vulnerability to elevate privileges through a specially crafted request
VAR-201912-0826 CVE-2019-7478 GMS In SQL Injection vulnerability CVSS V2: 7.5
CVSS V3: 9.8
Severity: CRITICAL
A vulnerability in GMS allow unauthenticated user to SQL injection in Webservice module. This vulnerability affected GMS versions GMS 8.4, 8.5, 8.6, 8.7, 9.0 and 9.1. SonicWall Global Management System (GMS) is a global management system of SonicWall Corporation in the United States. The system enables rapid deployment and centralized management of Dell SonicWALL firewall, anti-spam, backup and recovery, and secure remote access solutions. The vulnerability stems from the lack of verification of externally input SQL statements in database-based applications. Attackers can exploit this vulnerability to execute illegal SQL commands. The following products and versions are affected: SonicWall GMS Version 8.4, Version 8.5, Version 8.6, Version 8.7, Version 9.0, Version 9.1
VAR-202001-1874 No CVE Command execution vulnerability in Siemens PLC s7-300 CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
S7-300 is one of the programmable logic controller (PLC) series products produced by German Siemens. Siemens PLC s7-300 has a command execution vulnerability. An attacker can use this vulnerability to execute malicious commands and obtain administrator rights
VAR-201912-2003 No CVE A SQL injection vulnerability exists in the simple forum system of Ainon Network Technology Service Center, Huanggu District, Shenyang 162100 CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
The Simple Forum System of Ainong Network Technology Service Center in Huanggu District, Shenyang City is a forum website building system. A SQL injection vulnerability exists in the 162100 Simple Forum system of Ainong Network Technology Service Center, Huanggu District, Shenyang. Attackers can use the vulnerability to obtain sensitive database information.
VAR-201912-2005 No CVE A SQL injection vulnerability exists in the 162100 simple forum system of Ainon Network Technology Service Center, Huanggu District, Shenyang (CNVD-2020-00002) CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
The simple forum system of Ainon Network Technology Service Center in Huanggu District, Shenyang City is a forum website building system. A SQL injection vulnerability exists in the 162100 Simple Forum System of Ainong Network Technology Service Center, Huanggu District, Shenyang City. Attackers can use this vulnerability to obtain sensitive database information.
VAR-201912-0714 CVE-2019-20075 Netis DL4323 Device cross-site scripting vulnerability CVSS V2: 4.3
CVSS V3: 6.1
Severity: MEDIUM
On Netis DL4323 devices, pingrtt_v6.html has XSS (Ping6 Diagnostic). Netis DL4323 The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. NETCORE Netis DL4323 is a multifunctional modem of China Netcore Corporation. A cross-site scripting vulnerability exists in the pingrtt_v6.html page in NETCORE Netis DL4323. The vulnerability stems from the lack of proper validation of client data by web applications. An attacker could use this vulnerability to execute client code
VAR-201912-0715 CVE-2019-20076 NETCORE Netis DL4323 Cross-Site Scripting Vulnerability CVSS V2: 4.3
CVSS V3: 6.1
Severity: MEDIUM
On Netis DL4323 devices, XSS exists via the form2Ddns.cgi username parameter (DynDns settings of the Dynamic DNS Configuration). Netis DL4323 The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. NETCORE Netis DL4323 is a multifunctional modem from China Netcore Corporation. A cross-site scripting vulnerability exists in NETCORE Netis DL4323. The vulnerability stems from the lack of proper verification of client data by web applications. Attackers can use this vulnerability to execute client code
VAR-201912-0709 CVE-2019-20070 Netis DL4323 Device cross-site scripting vulnerability CVSS V2: 4.3
CVSS V3: 6.1
Severity: MEDIUM
On Netis DL4323 devices, XSS exists via the urlFQDN parameter to form2url.cgi (aka the Keyword field of the URL Blocking Configuration). Netis DL4323 The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. NETCORE Netis DL4323 is a multifunctional modem from China Netcore Corporation. A cross-site scripting vulnerability exists in NETCORE Netis DL4323. The vulnerability stems from the lack of proper verification of client data by web applications. Attackers can use this vulnerability to execute client code
VAR-201912-0710 CVE-2019-20071 Netis DL4323 Device cross-site request forgery vulnerability CVSS V2: 5.8
CVSS V3: 6.5
Severity: MEDIUM
On Netis DL4323 devices, CSRF exists via form2logaction.cgi to delete all logs. Netis DL4323 The device contains a cross-site request forgery vulnerability.Information may be tampered with. NETCORE Netis DL4323 is a multifunctional modem from China Netcore Corporation. The vulnerability stems from a web application's insufficient verification that the request came from a trusted user. An attacker could use this vulnerability to send an unexpected request to the server through an affected client
VAR-201912-0713 CVE-2019-20074 Netis DL4323 Vulnerability related to information leak from cache in device CVSS V2: 4.0
CVSS V3: 8.8
Severity: HIGH
On Netis DL4323 devices, any user role can view sensitive information, such as a user password or the FTP password, via the form2saveConf.cgi page. Netis DL4323 The device contains a vulnerability related to information disclosure from the cache.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NETCORE Netis DL4323 is a multifunctional modem from China Netcore Corporation. An information disclosure vulnerability exists in NETCORE Netis DL4323
VAR-201912-0712 CVE-2019-20073 Netis DL4323 Device cross-site scripting vulnerability CVSS V2: 4.3
CVSS V3: 6.1
Severity: MEDIUM
On Netis DL4323 devices, XSS exists via the form2userconfig.cgi username parameter (User Account Configuration). Netis DL4323 The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. NETCORE Netis DL4323 is a multifunctional modem from China Netcore Corporation. A cross-site scripting vulnerability exists in NETCORE Netis DL4323. The vulnerability stems from the lack of proper verification of client data by web applications. Attackers can use this vulnerability to execute client code
VAR-201912-0711 CVE-2019-20072 Netis DL4323 Device cross-site scripting vulnerability CVSS V2: 4.3
CVSS V3: 6.1
Severity: MEDIUM
On Netis DL4323 devices, XSS exists via the form2Ddns.cgi hostname parameter (Dynamic DNS Configuration). Netis DL4323 The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. NETCORE Netis DL4323 is a multifunctional modem from China Netcore Corporation. A cross-site scripting vulnerability exists in NETCORE Netis DL4323. The vulnerability stems from the lack of proper verification of client data by web applications. Attackers can use this vulnerability to execute client code