VARIoT IoT vulnerabilities database

ISPSoft is a new generation of Delta PLC programming software. Delta ISPSoft has a memory corruption vulnerability when processing isp project files. Attackers can trick users who install ISPSoft into opening malicious isp files, which triggers loopholes and denies service

Insufficient access control in hardware abstraction in SEMA driver for Intel(R) Computing Improvement Program before version 2.4.0.04733 may allow an authenticated user to potentially enable escalation of privilege, denial of service or information disclosure via local access. Intel Computing Improvement Program is a software improvement program application program of Intel Corporation. This program is used to collect computer function usage information, component usage information, operating system information, etc. A local attacker could exploit this vulnerability to elevate privileges, cause denial of service or disclose information

Improper permissions in the installer for Intel(R) Remote Displays SDK before version 2.0.1 R2 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel Remote Displays SDK is a remote processing software development kit (SDK) of Intel Corporation. The product enables low-latency capture, compression, decompression, and configuration of virtual displays. A local attacker could exploit this vulnerability to elevate privileges

Improper file verification in Intel® Driver & Support Assistant before 19.7.30.2 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel Driver & Support Assistant is an Intel driver and support management tool from Intel Corporation. This tool is mainly used to get the latest applications provided by Intel. An authorization issue vulnerability exists in Intel Driver & Support Assistant versions prior to 19.7.30.2. The vulnerability is caused by the program not properly validating files. A local attacker could exploit this vulnerability to elevate privileges

Improper file verification in Intel® Driver & Support Assistant before 19.7.30.2 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel Driver & Support Assistant is an Intel driver and support management tool from Intel Corporation. This tool is mainly used to get the latest applications provided by Intel. An authorization issue vulnerability exists in Intel Driver & Support Assistant versions prior to 19.7.30.2. The vulnerability is caused by the program not properly validating files. A local attacker could exploit this vulnerability to elevate privileges

Improper permissions in the software installer for Intel(R) Authenticate before 3.8 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel Authenticate is a set of multi-factor authentication software from Intel Corporation of the United States. An authorization issue vulnerability exists in the software installer in versions prior to Intel Authenticate 3.8. A local attacker could exploit this vulnerability to elevate privileges

Insufficient access control in a hardware abstraction driver for Intel(R) Processor Identification Utility for Windows before version 6.1.0731 may allow an authenticated user to potentially enable escalation of privilege, denial of service or information disclosure via local access. Intel Processor Identification Utility is a processor identification utility developed by Intel Corporation. The program supports displaying graphics information, chipset information, technologies supported by the processor, and other information. A local attacker could exploit this vulnerability to elevate privileges, cause denial of service or disclose information

Authentication bypass in the web console for Intel(R) Raid Web Console 2 all versions may allow an unauthenticated attacker to potentially enable disclosure of information via network access. Intel Raid Web Console 2 is a web-based application program of Intel Corporation that provides monitoring, maintenance, troubleshooting and configuration functions for Intel RAID products. An attacker could exploit this vulnerability to disclose information

An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. Zoho ManageEngine Application Manager Is SQL An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This system is mainly used to monitor server and application performance. An attacker could use this vulnerability to execute illegal SQL commands

An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm. Zoho ManageEngine OpManager Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Zoho ManageEngine OpManager is a set of network, server and virtualization monitoring software from Zoho. Zoho ManageEngine OpManager is vulnerable to permission permission and access control issues

An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. Zoho ManageEngine OpManager In SQL An injection vulnerability exists.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Zoho ManageEngine OpManager is a set of network, server and virtualization monitoring software from Zoho. An attacker could use this vulnerability to execute illegal SQL commands

In Delta Industrial Automation DOPSoft, Version 4.00.06.15 and prior, processing a specially crafted project file may trigger a use-after-free vulnerability, which may allow information disclosure, remote code execution, or crash of the application. Delta Industrial Automation DOPSoft Contains a vulnerability in the use of freed memory.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of DPA files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Delta Electronics Industrial Automation DOPSoft is a set of human-machine interface (HMI) software from Taiwan's Delta Electronics (Delta Electronics) company

eQ-3 Homematic CCU2 and CCU3 obtain session IDs without login. This allows a Denial of Service and is a starting point for other attacks. Affected versions for CCU2: 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15. Affected versions for CCU3: 3.41.11, 3.43.16, 3.45.5, 3.45.7, 3.47.10, 3.47.15. eQ-3 Homematic CCU2 and CCU3 Contains a resource exhaustion vulnerability.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. Both eQ-3 Homematic CCU3 and eQ-3 Homematic CCU2 are central control units of a smart home system produced by German eQ-3 company. A resource management error vulnerability exists in the eQ-3 Homematic CCU2 and eQ-3 Homematic CCU3. The following products and versions are affected: eQ-3 Homematic CCU2 Version 2.35.16, Version 2.41.5, Version 2.41.8, Version 2.41.9, Version 2.45.6, Version 2.45.7, Version 2.47.10, Version 2.47.12 Version, version 2.47.15; eQ-3 Homematic CCU3 version 3.41.11, version 3.43.16, version 3.45.5, version 3.45.7, version 3.47.10, version 3.47.15

The google-document-embedder plugin before 2.6.1 for WordPress has XSS. WordPress for google-document-embedder The plug-in contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. WordPress is a blogging platform developed by the WordPress Foundation using PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. google-document-embedder is one of the plug-ins used to add files to pages and provide download links. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

eQ-3 Homematic CCU2 outdated base software packages allows Denial of Service. CCU2 affected versions: 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15. eQ-3 Homematic CCU2 Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. eQ-3 HomeMatic CCU2 is a central control unit of a smart home system produced by German eQ-3 company. A resource management error vulnerability exists in the eQ-3 Homematic CCU2. An attacker could exploit this vulnerability to cause a denial of service

eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN service configuration. This is related to improper access control for all /addons/mh/ pages. eQ-3 Homematic CCU2 and CCU3 Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both eQ-3 Homematic CCU3 and eQ-3 Homematic CCU2 are central control units of a smart home system produced by German eQ-3 company. This vulnerability stems from network systems or products not properly restricting access to resources from unauthorized roles

The all-in-one-wp-security-and-firewall plugin before 3.9.1 for WordPress has multiple SQL injection issues. WordPress for all-in-one-wp-security-and-firewall Plug-ins include SQL An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The vulnerability stems from the lack of verification of externally input SQL statements in database-based applications. Attackers can exploit this vulnerability to execute illegal SQL commands

The google-document-embedder plugin before 2.6.2 for WordPress has CSRF. WordPress for google-document-embedder The plug-in contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. A cross-site request forgery vulnerability exists in the WordPress google-document-embedder plugin version prior to 2.6.2. The vulnerability stems from the WEB application not adequately verifying that the request is from a trusted user. An attacker could exploit this vulnerability to send unexpected requests to the server through an affected client

The google-document-embedder plugin before 2.6.2 for WordPress has XSS. WordPress for google-document-embedder The plug-in contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

The MediaTek Embedded Multimedia Card (eMMC) subsystem for Android on MT65xx, MT66xx, and MT8163 SoC devices allows attackers to execute arbitrary commands as root via shell metacharacters in a filename under /data, because clear_emmc_nomedia_entry in platform/mt6577/external/meta/emmc/meta_clr_emmc.c invokes 'system("/system/bin/rm -r /data/' followed by this filename upon an eMMC clearance from a Meta Mode boot. NOTE: compromise of Fire OS on the Amazon Echo Dot would require a second hypothetical vulnerability that allows creation of the required file under /data. MediaTek Embedded Multimedia Card (eMMC) Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. A security vulnerability exists in the MediaTek Embedded Multimedia Card (eMMC) subsystem. The following products and versions are affected: MT65xx devices; MT66xx devices; MT8163 SoC devices