VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-201910-1415 CVE-2016-11015 NETGEAR JNR1010 Cross-Site Request Forgery Vulnerability CVSS V2: 4.3
CVSS V3: 6.5
Severity: MEDIUM
NETGEAR JNR1010 devices before 1.0.0.32 allow cgi-bin/webproc CSRF via the :InternetGatewayDevice.X_TWSZ-COM_URL_Filter.BlackList.1.URL parameter. NETGEAR JNR1010 The device contains a cross-site request forgery vulnerability.Information may be tampered with. NETGEAR JNR1010 is a wireless router from NETGEAR. The vulnerability stems from insufficient verification of whether a request comes from a trusted user by a web application. Attackers can use this vulnerability to send unexpected requests to the server through the affected client
VAR-201910-0965 CVE-2019-15246 Cisco SPA100 Series Analog Telephone Adapters Buffer error vulnerability CVSS V2: 5.2
CVSS V3: 8.0
Severity: HIGH
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default. Cisco SPA100 Series Analog Telephone Adapters (ATAs) is a SPA100 series analog telephone adapter from Cisco (USA). A buffer overflow vulnerability exists in Cisco SPA100 Series ATAs. The vulnerability stems from the program's failure to properly validate input submitted by users. Code
VAR-201910-1727 CVE-2019-15260 Cisco Aironet Access Points Software Access Control Error Vulnerability CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
A vulnerability in Cisco Aironet Access Points (APs) Software could allow an unauthenticated, remote attacker to gain unauthorized access to a targeted device with elevated privileges. The vulnerability is due to insufficient access control for certain URLs on an affected device. An attacker could exploit this vulnerability by requesting specific URLs from an affected AP. An exploit could allow the attacker to gain access to the device with elevated privileges. While the attacker would not be granted access to all possible configuration options, it could allow the attacker to view sensitive information and replace some options with values of their choosing, including wireless network configuration. It would also allow the attacker to disable the AP, creating a denial of service (DoS) condition for clients associated with the AP. Cisco Aironet 1540 Series APs and other products are products of the United States Cisco. Cisco Aironet 1540 Series APs are a 1540 series access point product. Cisco Aironet 1560 Series APs are a 1560 series access point product. Cisco Aironet 1800 Series APs are a 1800 series access point product. Aironet Access Points (APs) Software is a set of operating systems running on it
VAR-201910-0374 CVE-2019-12636 Cisco Small Business Smart and Managed Switch Vulnerable to cross-site request forgery CVSS V2: 6.8
CVSS V3: 8.8
Severity: HIGH
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user. If the user has administrative privileges, the attacker could alter the configuration, execute commands, or cause a denial of service (DoS) condition on an affected device. Cisco 250 Series Smart Switches, etc. are products of the United States Cisco (Cisco). The Cisco 250 Series Smart Switches is a 250 series smart switch. The Cisco 350 Series Managed Switches is a 350 series managed switch. 550X Series Stackable Managed Switches is a 550X Series managed switch. The vulnerability stems from the program's failure to provide adequate cross-site request forgery protection
VAR-201910-0976 CVE-2019-15261 Cisco Aironet Access Points Input validation vulnerability CVSS V2: 7.8
CVSS V3: 8.6
Severity: HIGH
A vulnerability in the Point-to-Point Tunneling Protocol (PPTP) VPN packet processing functionality in Cisco Aironet Access Points (APs) could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to insufficient validation of Generic Routing Encapsulation (GRE) frames that pass through the data plane of an affected AP. An attacker could exploit this vulnerability by associating to a vulnerable AP, initiating a PPTP VPN connection to an arbitrary PPTP VPN server, and sending a malicious GRE frame through the data plane of the AP. A successful exploit could allow the attacker to cause an internal process of the targeted AP to crash, which in turn would cause the AP to reload. The AP reload would cause a DoS condition for clients that are associated with the AP. Cisco Aironet Access Points (APs) Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Cisco Aironet AP is a series of access point products
VAR-201910-0843 CVE-2019-17663 D-Link DIR-866L Cross-Site Scripting Vulnerability CVSS V2: 4.3
CVSS V3: 6.1
Severity: MEDIUM
D-Link DIR-866L 1.03B04 devices allow XSS via HtmlResponseMessage in the device common gateway interface, leading to common injection. D-Link DIR-866L The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. D-Link DIR-866L is a wireless router from Taiwan D-Link. A cross-site scripting vulnerability exists in D-Link DIR-866L 1.03B04. A remote attacker could use the device's common gateway interface to exploit this vulnerability to execute arbitrary code
VAR-201910-0963 CVE-2019-15244 Cisco SPA100 Series Analog Telephone Adapters Buffer error vulnerability CVSS V2: 5.2
CVSS V3: 8.0
Severity: HIGH
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default. Cisco SPA100 Series Analog Telephone Adapters (ATAs) is a SPA100 series analog telephone adapter
VAR-201910-0962 CVE-2019-15243 Cisco SPA100 Series Analog Telephone Adapters Buffer error vulnerability CVSS V2: 5.2
CVSS V3: 8.0
Severity: HIGH
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default. Cisco SPA100 Series Analog Telephone Adapters (ATAs) is a SPA100 series analog telephone adapter
VAR-201910-0723 CVE-2019-17512 D-Link DIR-412 Authentication vulnerability in router CVSS V2: 6.4
CVSS V3: 9.1
Severity: CRITICAL
There are some web interfaces without authentication requirements on D-Link DIR-412 A1-1.14WW routers. An attacker can clear the router's log file via act=clear&logtype=sysact to log_clear.php, which could be used to erase attack traces. D-Link DIR-412 The router contains an authentication vulnerability.The information may be obtained and the information may be falsified
VAR-201910-0969 CVE-2019-15250 Cisco SPA100 Series Analog Telephone Adapters Buffer error vulnerability CVSS V2: 5.2
CVSS V3: 8.0
Severity: HIGH
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default. A buffer overflow vulnerability exists in Cisco SPA100 Series ATAs. The vulnerability stems from the program's failure to properly validate input submitted by users. Code
VAR-201910-0970 CVE-2019-15251 Cisco SPA100 Series Analog Telephone Adapters Buffer error vulnerability CVSS V2: 5.2
CVSS V3: 8.0
Severity: HIGH
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default. Cisco SPA100 Series Analog Telephone Adapters (ATAs) is a SPA100 series analog telephone adapter from Cisco (USA). A buffer overflow vulnerability exists in Cisco SPA100 Series ATAs. The vulnerability stems from the program's failure to properly validate input submitted by users. Code
VAR-201910-0967 CVE-2019-15248 Cisco SPA100 Series Analog Telephone Adapters Buffer error vulnerability CVSS V2: 5.2
CVSS V3: 8.0
Severity: HIGH
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default. Cisco SPA100 Series Analog Telephone Adapters (ATAs) is a SPA100 series analog telephone adapter from Cisco (USA). A buffer overflow vulnerability exists in Cisco SPA100 Series ATAs. The vulnerability stems from the program's failure to properly validate input submitted by users. Code
VAR-201910-0971 CVE-2019-15252 Cisco SPA100 Series Analog Telephone Adapters Buffer error vulnerability CVSS V2: 5.2
CVSS V3: 8.0
Severity: HIGH
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default. Cisco SPA100 Series Analog Telephone Adapters (ATAs) is a SPA100 series analog telephone adapter from Cisco (USA). A buffer overflow vulnerability exists in Cisco SPA100 Series ATAs. The vulnerability stems from the program's failure to properly validate input submitted by users. Code
VAR-201910-0341 CVE-2019-12704 Cisco SPA100 Series Analog Telephone Adapters Vulnerable to information disclosure CVSS V2: 4.0
CVSS V3: 6.5
Severity: MEDIUM
A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to view the contents of arbitrary files on an affected device. The vulnerability is due to improper input validation in the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to retrieve the contents of arbitrary files on the device, possibly resulting in the disclosure of sensitive information
VAR-201910-0979 CVE-2019-15265 Cisco Aironet Access Points Input validation vulnerability CVSS V2: 2.1
CVSS V3: 6.5
Severity: MEDIUM
A vulnerability in the bridge protocol data unit (BPDU) forwarding functionality of Cisco Aironet Access Points (APs) could allow an unauthenticated, adjacent attacker to cause an AP port to go into an error disabled state. The vulnerability occurs because BPDUs received from specific wireless clients are forwarded incorrectly. An attacker could exploit this vulnerability on the wireless network by sending a steady stream of crafted BPDU frames. A successful exploit could allow the attacker to cause a limited denial of service (DoS) attack because an AP port could go offline. Cisco Aironet Access Points (APs) Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Cisco Aironet 1540 Series APs and other products are products of the United States Cisco. Cisco Aironet 1540 Series APs are a 1540 series access point product. Cisco Aironet 1560 Series APs are a 1560 series access point product. Cisco Aironet 1800 Series APs are a 1800 series access point product
VAR-201910-0978 CVE-2019-15264 Cisco Aironet and Catalyst 9100 Access Points Vulnerabilities related to resource exhaustion CVSS V2: 6.1
CVSS V3: 6.5
Severity: MEDIUM
A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol implementation of Cisco Aironet and Catalyst 9100 Access Points (APs) could allow an unauthenticated, adjacent attacker to cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition. The vulnerability is due to improper resource management during CAPWAP message processing. An attacker could exploit this vulnerability by sending a high volume of legitimate wireless management frames within a short time to an affected device. A successful exploit could allow the attacker to cause a device to restart unexpectedly, resulting in a DoS condition for clients associated with the AP. Cisco Aironet AP is a series of access point products
VAR-201910-0966 CVE-2019-15247 Cisco SPA100 Series Analog Telephone Adapters Buffer error vulnerability CVSS V2: 5.2
CVSS V3: 8.0
Severity: HIGH
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default. Cisco SPA100 Series Analog Telephone Adapters (ATAs) is a SPA100 series analog telephone adapter from Cisco (USA). A buffer overflow vulnerability exists in Cisco SPA100 Series ATAs. The vulnerability stems from the program's failure to properly validate input submitted by users. Code
VAR-201910-0339 CVE-2019-12702 Cisco SPA100 Series Analog Telephone Adapters Vulnerable to cross-site scripting CVSS V2: 3.5
CVSS V3: 5.4
Severity: MEDIUM
A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to conduct cross-site scripting attacks. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. The Cisco SPA100 Series is an analog phone adapter from Cisco that allows your standard analog phone to access Internet phone services through the RJ-11 phone port
VAR-201910-0974 CVE-2019-15258 Cisco SPA100 Series Analog Telephone Adapters Input validation vulnerability CVSS V2: 6.8
CVSS V3: 6.5
Severity: MEDIUM
A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper validation of user-supplied requests to the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to cause the device to stop responding, requiring manual intervention for recovery. The Cisco SPA100 Series is an analog phone adapter from Cisco that allows your standard analog phone to access Internet phone services through the RJ-11 phone port
VAR-201910-0964 CVE-2019-15245 Cisco SPA100 Series Analog Telephone Adapters Buffer error vulnerability CVSS V2: 5.2
CVSS V3: 8.0
Severity: HIGH
Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. The vulnerabilities are due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit these vulnerabilities by authenticating to the web-based management interface and sending crafted requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges. Note: The web-based management interface is enabled by default. Cisco SPA100 Series Analog Telephone Adapters (ATAs) is a SPA100 series analog telephone adapter