VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-201909-0184 CVE-2019-12670 Cisco IOS XE Vulnerability in improper assignment of permissions to critical resources in software CVSS V2: 4.6
CVSS V3: 6.7
Severity: MEDIUM
A vulnerability in the filesystem of Cisco IOS XE Software could allow an authenticated, local attacker within the IOx Guest Shell to modify the namespace container protections on an affected device. The vulnerability is due to insufficient file permissions. An attacker could exploit this vulnerability by modifying files that they should not have access to. A successful exploit could allow the attacker to remove container protections and perform file actions outside the namespace of the container. Cisco IOS XE The software contains a vulnerability related to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco IOS XE is an operating system developed by Cisco for its network equipment
VAR-201909-0072 CVE-2019-6651 BIG-IP and BIG-IQ Vulnerability related to information disclosure caused by difference in response to security related processing CVSS V2: 5.0
CVSS V3: 5.3
Severity: MEDIUM
In BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.5.1-11.6.4, BIG-IQ 7.0.0, 6.0.0-6.1.0,5.2.0-5.4.0, iWorkflow 2.3.0, and Enterprise Manager 3.1.1, the Configuration utility login page may not follow best security practices when handling a malicious request. BIG-IP and BIG-IQ Contains a vulnerability related to information disclosure caused by differences in response to security-related processing.Information may be obtained. F5 BIG-IP and so on are all products of F5 Company in the United States. F5 BIG-IP is an application delivery platform that integrates functions such as network traffic management, application security management, and load balancing. F5 Enterprise Manager is a tool that provides visibility into the entire BIG-IP application delivery infrastructure and optimizes application performance. F5 BIG-IQ Centralized Management is a software-based cloud management solution. A security vulnerability exists in several F5 products. The vulnerability is caused by the program returning different HTTP responses when processing modified requests. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements. The following products and versions are affected: F5 BIG-IP version 15.0.0, version 14.0.0 to version 14.1.0, version 13.1.0 to version 13.1.1, version 12.1.0 to version 12.1.4, version 11.5.2 Up to version 11.6.4; Enterprise Manager version 3.1.1; BIG-IQ Centralized Management version 7.0.0, version 6.0.0 to version 6.1.0, version 5.2.0 to version 5.4.0; F5 iWorkflow version 2.3.0
VAR-201909-0158 CVE-2019-12649 Cisco IOS XE Vulnerabilities related to digital signature verification in software CVSS V2: 7.2
CVSS V3: 6.7
Severity: MEDIUM
A vulnerability in the Image Verification feature of Cisco IOS XE Software could allow an authenticated, local attacker to install and boot a malicious software image or execute unsigned binaries on an affected device. The vulnerability exists because, under certain circumstances, an affected device can be configured to not verify the digital signatures of system image files during the boot process. An attacker could exploit this vulnerability by abusing a specific feature that is part of the device boot process. A successful exploit could allow the attacker to install and boot a malicious software image or execute unsigned binaries on the targeted device. Cisco IOS XE The software contains a vulnerability related to digital signature verification.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco Catalyst 3850 Series Switches and Cisco Catalyst 9300 Series Switches are both Cisco products. Cisco Catalyst 3850 Series Switches is a 3850 series switch. Cisco Catalyst 9300 Series Switches is a 9300 series switch. IOS XE is a set of operating systems developed for its network equipment
VAR-201909-0075 CVE-2019-6654 plural BIG-IP Vulnerability related to input validation in product system CVSS V2: 3.3
CVSS V3: 4.3
Severity: MEDIUM
On versions 14.0.0-14.1.2, 13.0.0-13.1.3, 12.1.0-12.1.5, and 11.5.1-11.6.5, the BIG-IP system fails to perform Martian Address Filtering (As defined in RFC 1812 section 5.3.7) on the control plane (management interface). This may allow attackers on an adjacent system to force BIG-IP into processing packets with spoofed source addresses. plural BIG-IP There is an input validation vulnerability in the product system.Information may be tampered with. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. A security vulnerability exists in the F5 BIG-IP. A remote attacker could exploit this vulnerability to perform unauthorized modification or cause a denial of service. The following products and versions are affected: F5 BIG-IP 14.0.0 to 14.1.2, 13.0.0 to 13.1.3, 12.1.0 to 12.1.5, 11.5.1 to 11.6.5
VAR-201909-0070 CVE-2019-6655 plural BIG-IP Information disclosure vulnerabilities in product platforms CVSS V2: 4.3
CVSS V3: 5.3
Severity: MEDIUM
On versions 13.0.0-13.1.0.1, 12.1.0-12.1.4.1, 11.6.1-11.6.4, and 11.5.1-11.5.9, BIG-IP platforms where AVR, ASM, APM, PEM, AFM, and/or AAM is provisioned may leak sensitive data. plural BIG-IP There is an information disclosure vulnerability on the product platform.Information may be obtained. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. A security vulnerability exists in the F5 BIG-IP. The following products and versions are affected: F5 BIG-IP version 13.1.0, version 12.1.0 to version 12.1.4, version 11.6.1 to version 11.6.4, version 11.5.2 to version 11.5.9
VAR-201909-0870 CVE-2019-15069 Smart Battery A4 Authentication vulnerability CVSS V2: 7.5
CVSS V3: 9.8
Severity: CRITICAL
An unsafe authentication interface was discovered in Smart Battery A4, a multifunctional portable charger, firmware version ?<= r1.7.9 . An attacker can bypass authentication without modifying device file and gain web page management privilege. Smart Battery A4 Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state
VAR-201909-0160 CVE-2019-12650 Cisco IOS XE In software OS Command injection vulnerability CVSS V2: 9.0
CVSS V3: 8.8
Severity: HIGH
Multiple vulnerabilities in the web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands with elevated privileges on the affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco IOS XE The software includes OS A command injection vulnerability exists.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Cisco IOS XE is an operating system developed by Cisco for its network equipment
VAR-201909-0161 CVE-2019-12651 Cisco IOS XE In software OS Command injection vulnerability CVSS V2: 9.0
CVSS V3: 8.8
Severity: HIGH
Multiple vulnerabilities in the web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands with elevated privileges on the affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco IOS XE The software includes OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco IOS XE is an operating system developed by Cisco for its network equipment
VAR-201909-0869 CVE-2019-15068 Smart Battery A4 Authentication vulnerability CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
A broken access control vulnerability in Smart Battery A4, a multifunctional portable charger, firmware version ?<= r1.7.9 allows an attacker to get/reset administrator’s password without any authentication. Smart Battery A4 Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Smart Battery A4 is a portable power supply device. An attacker could exploit this vulnerability to obtain/reset the administrator password without authentication
VAR-201909-0868 CVE-2019-15067 Smart Battery A2-25DE Authentication vulnerability CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
An authentication bypass vulnerability discovered in Smart Battery A2-25DE, a multifunctional portable charger, firmware version ?<= SECFS-2013-10-16-13:42:58-629c30ee-60c68be6. An attacker can bypass authentication and gain privilege by modifying the login page. Smart Battery A2-25DE Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state
VAR-201911-0835 CVE-2019-5230 plural Huawei Vulnerability related to input confirmation in smartphone products CVSS V2: 4.3
CVSS V3: 5.5
Severity: MEDIUM
P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform a properly validation of certain input models, an attacker could trick the user to install a malicious application then craft a malformed model, successful exploit could allow the attacker to get and tamper certain output data information. The Huawei P20 Pro and other smartphones are all from China's Huawei. The vulnerability stems from the system's inadequate verification of the input model files
VAR-201911-0822 CVE-2019-5246 ELLE-AL00B Vulnerability related to insufficient verification of data reliability in smartphones with software CVSS V2: 4.6
CVSS V3: 6.2
Severity: MEDIUM
Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain parameters sufficiently, an attacker should connect to the phone and gain high privilege to launch the attack. Successful exploit could cause DOS or malicious code execution. ELLE-AL00B Software-equipped smartphones are vulnerable to insufficient verification of data reliability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Huawei ELLE-AL00B is a smartphone from China's Huawei. There is a security vulnerability in Huawei ELLE-AL00B, which is caused by the system's failure to fully verify the parameters
VAR-201909-0893 CVE-2019-16899 Advantech WebAccess/HMI Designer Buffer error vulnerability CVSS V2: 5.0
CVSS V3: 7.5
Severity: HIGH
In Advantech WebAccess/HMI Designer 2.1.9.31, Data from a Faulting Address controls Code Flow starting at PM_V3!CTagInfoThreadBase::GetNICInfo+0x0000000000512918. Advantech WebAccess/HMI Designer Contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Advantech WebAccess HMI Designer is a human machine interface (HMI) runtime development software. A denial of service vulnerability exists in Advantech WebAccess HMI Designer 2.1.9.31. An attacker could exploit the vulnerability to cause a denial of service. The product has functions such as data transmission, menu editing and text editing. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations
VAR-201911-0264 CVE-2019-5287 P30 Integer overflow vulnerability in smartphones CVSS V2: 9.3
CVSS V3: 7.8
Severity: HIGH
P30 smart phones with versions earlier than ELLE-AL00B 9.1.0.193(C00E190R2P1) have an integer overflow vulnerability due to insufficient check on specific parameters. An attacker tricks the user into installing a malicious application, obtains the root permission and constructs specific parameters to the camera program to exploit this vulnerability. Successful exploit could cause the program to break down or allow for arbitrary code execution. P30 Smartphones contain an integer overflow vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Huawei P30 is a smartphone from China's Huawei
VAR-201909-0894 CVE-2019-16900 Advantech WebAccess/HMI Designer Buffer error vulnerability CVSS V2: 5.0
CVSS V3: 7.5
Severity: HIGH
Advantech WebAccess/HMI Designer 2.1.9.31 has a User Mode Write AV starting at MSVCR90!memcpy+0x000000000000015c. Advantech WebAccess/HMI Designer Contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Advantech WebAccess HMI Designer is a human machine interface (HMI) runtime development software. An attacker could exploit the vulnerability to cause a denial of service. The product has functions such as data transmission, menu editing and text editing. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations
VAR-201911-0834 CVE-2019-5229 P30 Vulnerability related to insufficient verification of data reliability on smartphones CVSS V2: 4.6
CVSS V3: 6.2
Severity: MEDIUM
P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.193(C00E190R2P1) have an insufficient verification vulnerability. The system does not verify certain parameters sufficiently, an attacker should connect to the phone and gain high privilege to launch the attack, successful exploit could cause malicious code execution. P30 Smartphones are vulnerable to insufficient validation of data reliability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Huawei P30 is a smartphone from China's Huawei
VAR-201911-0265 CVE-2019-5288 P30 Integer overflow vulnerability in smartphones CVSS V2: 9.3
CVSS V3: 7.8
Severity: HIGH
P30 smart phones with versions earlier than ELLE-AL00B 9.1.0.193(C00E190R2P1) have an integer overflow vulnerability due to insufficient check on specific parameters. An attacker tricks the user into installing a malicious application, obtains the root permission and constructs specific parameters to the camera program to exploit this vulnerability. Successful exploit could cause the program to break down or allow for arbitrary code execution. P30 Smartphones contain an integer overflow vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Huawei P30 is a smartphone from China's Huawei
VAR-201909-1523 CVE-2019-12665 Cisco IOS and IOS XE Vulnerability regarding cryptographic strength in software CVSS V2: 5.8
CVSS V3: 7.4
Severity: HIGH
A vulnerability in the HTTP client feature of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to read and modify data that should normally have been sent via an encrypted channel. The vulnerability is due to TCP port information not being considered when matching new requests to existing, persistent HTTP connections. An attacker could exploit this vulnerability by acting as a man-in-the-middle and then reading and/or modifying data that should normally have been sent through an encrypted channel. Cisco IOS and IOS XE The software contains a cryptographic strength vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Both Cisco IOS and IOS XE are a set of operating systems developed by Cisco for its network equipment
VAR-201909-0895 CVE-2019-16901 Advantech WebAccess HMI Designer Exception Handler Chain Corruption Vulnerability CVSS V2: 5.0
CVSS V3: 7.5
Severity: HIGH
Advantech WebAccess/HMI Designer 2.1.9.31 has Exception Handler Chain corruption starting at Unknown Symbol @ 0x0000000000000000 called from ntdll!RtlRaiseStatus+0x00000000000000b4. Advantech WebAccess/HMI Designer Contains a vulnerability in handling exceptional conditions.Service operation interruption (DoS) There is a possibility of being put into a state. Advantech WebAccess HMI Designer is a human machine interface (HMI) runtime development software. An attacker could exploit the vulnerability to cause a denial of service. The product has functions such as data transmission, menu editing and text editing. A path traversal vulnerability exists in Advantech WebAccess/HMI Designer version 2.1.9.31. The vulnerability stems from a network system or product that fails to properly filter resources or special elements in file paths
VAR-201909-0176 CVE-2019-12662 Cisco NX-OS and IOS XE Vulnerabilities related to digital signature verification in software CVSS V2: 7.2
CVSS V3: 6.7
Severity: MEDIUM
A vulnerability in Cisco NX-OS Software and Cisco IOS XE Software could allow an authenticated, local attacker with valid administrator or privilege level 15 credentials to load a virtual service image and bypass signature verification on an affected device. The vulnerability is due to improper signature verification during the installation of an Open Virtual Appliance (OVA) image. An authenticated, local attacker could exploit this vulnerability and load a malicious, unsigned OVA image on an affected device. A successful exploit could allow an attacker to perform code execution on a crafted software OVA image. Cisco NX-OS Software and IOS XE are both products of Cisco Corporation. Cisco NX-OS Software is a suite of data center-level operating system software for switches. IOS XE is a set of operating systems developed for its network equipment. A data forgery vulnerability exists in Cisco NX-OS and Cisco IOS XE. Signed OVA image