VARIoT IoT vulnerabilities database

A remote session reuse vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1. The HPE 3PAR Service Processor (SP) is a set of virtual service processors deployed by the HPE Corporation of the United States on the VMware vSphere hypervisor. An attacker could exploit the vulnerability to re-use the session

A remote bypass of security restrictions vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1. The HPE 3PAR Service Processor (SP) is a set of virtual service processors deployed by the HPE Corporation of the United States on the VMware vSphere hypervisor

A remote authentication bypass vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1. The HPE 3PAR Service Processor (SP) is a set of virtual service processors deployed by the HPE Corporation of the United States on the VMware vSphere hypervisor. There are currently no detailed details of the vulnerability provided

A remote arbitrary file upload vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1. HPE 3PAR Service Processor (SP) is a set of virtual service processors deployed by the HPE company in the VMware vSphere hypervisor. No detailed vulnerability details are provided at this time

A remote multiple multiple cross-site vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1. The HPE 3PAR Service Processor (SP) is a set of virtual service processors deployed by the HPE Corporation of the United States on the VMware vSphere hypervisor. An attacker could exploit this vulnerability for a cross-site scripting attack

An information exposure vulnerability in FortiOS 6.2.3, 6.2.0 and below may allow an unauthenticated attacker to gain platform information such as version, models, via parsing a JavaScript file through admin webUI. FortiOS Contains an information disclosure vulnerability.Information may be obtained. Fortinet FortiOS is a set of security operating system dedicated to the FortiGate network security platform developed by Fortinet. The system provides users with various security functions such as firewall, anti-virus, IPSec/SSLVPN, Web content filtering and anti-spam. The WEB UI in Fortinet FortiOS 6.2.0 and earlier versions and 6.2.3 version has an information disclosure vulnerability

Dell/Alienware Digital Delivery versions prior to 3.5.2013 contain a privilege escalation vulnerability. A local non-privileged malicious user could exploit a named pipe that performs binary deserialization via a process hollowing technique to inject malicous code to run an executable with elevated privileges. Dell/Alienware Digital Delivery Contains vulnerabilities in authorization, authority, and access control.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Dell Digital Delivery and Alienware Digital Delivery are both applications dedicated to Dell computer equipment and used to purchase computer pre-installed software online

Dell/Alienware Digital Delivery versions prior to 4.0.41 contain a privilege escalation vulnerability. A local non-privileged malicious user could exploit a Universal Windows Platform application by manipulating the install software package feature with a race condition and a path traversal exploit in order to run a malicious executable with elevated privileges. Dell/Alienware Digital Delivery Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Dell Digital Delivery and Alienware Digital Delivery are both applications dedicated to Dell computer equipment and used to purchase computer pre-installed software online

Rockwell Automation Arena Simulation Software versions 16.00.00 and earlier contain a USE AFTER FREE CWE-416. A maliciously crafted Arena file opened by an unsuspecting user may result in the application crashing or the execution of arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the processing of DOE files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. 9502-Ax) 16.00.00 and earlier versions have resource management error vulnerabilities

A vulnerability was reported in various BIOS versions of older ThinkPad systems that could allow a user with administrative privileges or physical access the ability to update the Embedded Controller with unsigned firmware. ThinkPad Older product systems contain vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Lenovo ThinkPad 10 20E3 and so on are the products of China's Lenovo. The Lenovo ThinkPad 10 20E3 is a tablet computer. ThinkPad 10 20E4 is a tablet computer. ThinkPad 13 (KBL) 20J1 is a notebook computer

A stored cross-site scripting (XSS) vulnerability exists in various firmware versions of the legacy IBM System x IMM (IMM v1) embedded Baseboard Management Controller (BMC). This vulnerability could allow an unauthenticated user to cause JavaScript code to be stored in the IMM log which may then be executed in the user's web browser when IMM log records containing the JavaScript code are viewed. The JavaScript code is not executed on IMM itself. The later IMM2 (IMM v2) is not affected. The following products and versions are affected: BladeCenter HS22; BladeCenter HS22V; BladeCenter HX5; System x iDataPlex dx360 M2; System x iDataPlex dx360 M3; System x3400 M3 System x3500 M2; ; System x3650 M3; System x3690 X5; System x3850 X5; System x3950 X5

A DLL search path vulnerability was reported in PaperDisplay Hotkey Service version 1.2.0.8 that could allow privilege escalation. Lenovo has ended support for PaperDisplay Hotkey software as the Night light feature introduced in Windows 10 Build 1703 provides similar features. PaperDisplay Hotkey Service Contains an unreliable search path vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Lenovo Yoga 700-11ISK and Yoga 700-14ISK are both laptops from Lenovo of China. Microsoft Windows 10 is a set of operating systems used by Microsoft Corporation in the United States for personal computers

Nespresso Prodigio devices lack Bluetooth connection security. Nespresso Prodigio The device contains vulnerabilities related to security functions.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. Nestle Nespresso Prodigio is a smart coffee machine from Nestle, Switzerland. A security hole exists in the Nestle Nespresso Prodigio device

Edimax Wi-Fi Extender devices allow goform/formwlencryptvxd CSRF with resultant PSK key disclosure. Edimax Wi-Fi Extender The device contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Edimax Technology Wi-Fi Extender is a wireless signal extender produced by Edimax Technology Company in Taiwan, China. The vulnerability stems from the WEB application not adequately verifying that the request is from a trusted user. An attacker could exploit this vulnerability to send unexpected requests to the server through an affected client

Neet AirStream NAS1.1 devices have a password of ifconfig for the root account. This cannot be changed via the configuration page. Neet AirStream NAS The device contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Neet AirStream NAS1.1 is a wireless audio receiver. A vulnerability management issue vulnerability exists in Neet AirStream NAS 1.1. The vulnerability stems from the lack of an effective trust management mechanism in network systems or products. An attacker can attack an affected component with a default password or hard-coded password, hard-coded certificate, and so on. The vulnerability stems from the WEB application not adequately verifying that the request is from a trusted user. An attacker could exploit this vulnerability to send unexpected requests to the server through an affected client

Cognitoys Dino devices allow profiles_add.html CSRF. Cognitoys Dino The device contains a cross-site request forgery vulnerability.Information may be obtained and information may be altered. Crunchbase Cognitoys Dino is a children's cognitive electronic learning toy produced by American Crunchbase Company. The vulnerability stems from the WEB application not adequately verifying that the request is from a trusted user. An attacker could exploit this vulnerability to send unexpected requests to the server through an affected client

Cognitoys Dino devices allow XSS via the SSID. Cognitoys Dino The device contains a cross-site scripting vulnerability.The information may be obtained and the information may be falsified. Crunchbase Cognitoys Dino is a children's cognitive electronic learning toy produced by American Crunchbase Company. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Swann SWWHD-INTCAM-HD devices leave the PSK in logs after a factory reset. NOTE: all affected customers were migrated by 2020-08-31. Swann SWWHD-INTCAM-HD The device contains a vulnerability related to information disclosure from log files.Information may be obtained. Infinova Swann SWWHD-INTCAM-HD is a webcam from Infinova. The vulnerability stems from errors in the configuration of the network system or product during operation. An unauthorized attacker can exploit the vulnerability to obtain sensitive information about the affected component. Infinova Swann SWWHD-INTCAM-HD is a network camera produced by Infinova

The authorization component of TIBCO Software Inc.'s TIBCO API Exchange Gateway, and TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric contains a vulnerability that theoretically processes OAuth authorization incorrectly, leading to potential escalation of privileges for the specific customer endpoint, when the implementation uses multiple scopes. This issue affects: TIBCO Software Inc.'s TIBCO API Exchange Gateway version 2.3.1 and prior versions, and TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric version 2.3.1 and prior versions. TIBCO Software Inc. The platform mainly provides functions such as high-speed receiving, routing and forwarding of requests, and routing of requests between requesters and service endpoints. An attacker could exploit this vulnerability to elevate privileges

An issue was discovered on D-Link DIR-600M 3.02, 3.03, 3.04, and 3.06 devices. wan.htm can be accessed directly without authentication, which can lead to disclosure of information about the WAN, and can also be leveraged by an attacker to modify the data fields of the page. D-Link DIR-600M The device contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-Link DIR-600M is a wireless router from Taiwan D-Link. A security vulnerability exists in D-Link DIR-600M, which originates from the fact that users can directly access the wan.htm file without authentication