VARIoT IoT vulnerabilities database

A vulnerability in the web-based management interface of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. Cisco HyperFlex Software is a set of scalable distributed file systems from Cisco. The system provides unified computing, storage and network through cloud management, and provides enterprise-level data management and optimization services. The vulnerability stems from the WEB application not adequately verifying that the request is from a trusted user

A vulnerability in the Virtual Network Computing (VNC) console implementation of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to access the VNC console session of an administrative user on an affected device. The vulnerability is due to an insufficient authentication mechanism used to establish a VNC session. An attacker could exploit this vulnerability by intercepting an administrator VNC session request prior to login. A successful exploit could allow the attacker to watch the administrator console session or interact with it, allowing admin access to the affected device. Cisco Enterprise NFV Infrastructure Software (NFVIS) Is vulnerable to a lack of authentication for critical functions.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco Enterprise NFV Infrastructure Software (NFVIS) is a set of NVF infrastructure software platform of Cisco (Cisco). The platform can realize the full lifecycle management of virtualized services through the central coordinator and controller

The Bluetooth Low Energy (BLE) subsystem on Tapplock devices before 2018-06-12 relies on Key1 and SerialNo for unlock operations; however, these are derived from the MAC address, which is broadcasted by the device. Tapplock The device contains an information disclosure vulnerability.Information may be obtained

Possible null-pointer dereference can occur while parsing avi clip during copy in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9206, MDM9607, MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20. plural Snapdragon The product includes NULL A vulnerability related to pointer dereference exists.Service operation interruption (DoS) There is a possibility of being put into a state. Qualcomm MDM9206 and others are products of Qualcomm (Qualcomm). MDM9206 is a central processing unit (CPU) product. MDM9607 is a central processing unit (CPU) product. MSM8996AU is a central processing unit (CPU) product. A code issue vulnerability exists in several Qualcomm products. This vulnerability stems from improper design or implementation problems in the code development process of network systems or products

Boot image not getting verified by AVB in Snapdragon Auto, Snapdragon Mobile, Snapdragon Wearables in MDM9607, MSM8909W, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 820, SD 820A, SDM439. plural Snapdragon The product contains a vulnerability related to the use of cryptographic algorithms.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm MDM9607 is a central processing unit (CPU) product of Qualcomm (Qualcomm). Encryption issues exist in several Qualcomm products. The vulnerability stems from incorrect use of relevant cryptographic algorithms by network systems or products, resulting in improperly encrypted content, weak encryption, and storing sensitive information in plain text

Improper validation of read and write index of tx and rx fifo`s before using for data copy from fifo can lead to out-of-bound access. in Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in IPQ4019, IPQ8064, IPQ8074, QCS405, SD 665, SD 675, SD 730, SD 855. plural Snapdragon The product contains a vulnerability related to array index validation.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm IPQ8074 is a central processing unit (CPU) product of Qualcomm (Qualcomm). An input validation error vulnerability exists in several Qualcomm products. The vulnerability stems from the failure of the network system or product to properly validate the input data. The following products and versions are affected: Qualcomm IPQ4019; IPQ8064; IPQ8074; QCS405; SD 665; SD 675; SD 730; SD 855

Possible buffer overflow issue due to lack of length check when parsing the extended cap IE header length in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574, QCA6574AU, QCA6584, QCA8081, QCA9379, QCS404, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24, SXR1130. plural Snapdragon The product contains a classic buffer overflow vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm WLAN chip is a dedicated chip for Qualcomm platform to handle WLAN/WIFI protocol. It belongs to Qualcomm Baseband subsystem, which is used to improve WLAN/WIFI processing speed and performance and reduce energy consumption. A remote code execution vulnerability exists in the Qualcomm WLAN chip. An attacker can control the WLAN firmware and eventually cause arbitrary code to be executed on the server. Qualcomm MDM9206 and others are products of Qualcomm (Qualcomm). MDM9206 is a central processing unit (CPU) product. MDM9607 is a central processing unit (CPU) product. MDM9640 is a central processing unit (CPU) product. A buffer error vulnerability exists in several Qualcomm products. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. The following products and versions are affected: Qualcomm MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574, QCA6574AU, QCA6584, QCA8081, QCA9379, QCS404, QCS405, QCS605; Qualcomm 215, SD 2120/SD 2120/SD , SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX; Qualcomm SDA660, SDM439, SDM630, SDM660; Qualcomm SDX20, SDX24, SXR1130

Buffer overflow in WLAN NAN function due to lack of check of count value received in NAN availability attribute in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in IPQ8074, MSM8996AU, QCA6174A, QCA6574AU, QCA8081, QCA9377, QCA9379, QCS404, QCS405, QCS605, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, SXR1130. plural Snapdragon The product contains a classic buffer overflow vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm MSM8996AU is a central processing unit (CPU) product of Qualcomm (Qualcomm). A buffer error vulnerability exists in several Qualcomm products. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc. The following products and versions are affected: Qualcomm IPQ8074 ; Qualcomm MSM8996AU ; Qualcomm QCA6174A ; Qualcomm QCA6574AU ; Qualcomm QCA8081 ; Qualcomm QCA9377 ; Qualcomm QCA9379 ; Qualcomm QCS404 ; Qualcomm QCS405 ; Qualcomm QCS605 ; Qualcomm SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, SXR1130

Device record of the pairing device used after free during ACL disconnection in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MSM8909W, MSM8996AU, QCA6574AU, QCS405, QCS605, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016. plural Snapdragon The product contains a vulnerability related to the use of released memory.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm MSM8996AU is a central processing unit (CPU) product of Qualcomm (Qualcomm). A resource management error vulnerability exists in several Qualcomm products. This vulnerability stems from improper management of system resources (such as memory, disk space, files, etc.) by network systems or products

Lack of check of address range received from firmware response allows modem to respond arbitrary pages into its address range which can compromise HLOS in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 425, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM660, SDX20, SDX24. plural Snapdragon The product contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm MSM8996AU and others are products of Qualcomm (Qualcomm). MSM8996AU is a central processing unit (CPU) product. SD 712 is a central processing unit (CPU) product. SD 710 is a central processing unit (CPU) product. An input validation error vulnerability exists in several Qualcomm products. The vulnerability stems from the failure of the network system or product to properly validate the input data. The following products and versions are affected: Qualcomm MSM8909W; MSM8996AU; QCS405; QCS605; Qualcomm 215; SD 425; SD 439; SD 429; SD 450; SD 625; SD 632; 710; SD 670; SD 730; SD 820A; SD 845; SD 850; SD 855; SDA660; SDM439; SDM660; SDX20; SDX24

BT process died and BT toggled due to null pointer dereference when invalid vendor pass through command sent from remote in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Mobile, Snapdragon Voice & Music in QCS405, QCS605, SD 636, SD 675, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM630, SDM660. plural Snapdragon The product includes NULL A vulnerability related to pointer dereference exists.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. Qualcomm SD 820A and others are a central processing unit (CPU) product of Qualcomm (Qualcomm). A code issue vulnerability exists in several Qualcomm products. This vulnerability stems from improper design or implementation problems in the code development process of network systems or products. The following products and versions are affected: Qualcomm QCS405; QCS605; SD 636; SD 675; SD 730; SD 820A; SD 835; SD 845; SD 850; SD 855;

Usage of hard-coded magic number for calculating heap guard bytes can allow users to corrupt heap blocks without heap algorithm knowledge in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9655, MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 650/52, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130. plural Snapdragon The product contains a vulnerability related to the use of insufficient random values.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm MDM9206 is a central processing unit (CPU) product of Qualcomm (Qualcomm). Video in several Qualcomm products has a security feature vulnerability. An attacker could exploit this vulnerability to corrupt heap blocks. The following products and versions are affected: Qualcomm MDM9205; MDM9206; MDM9607; MDM9615; MDM9625; MDM9635M; MDM9655; MSM8909W; MSM8996AU; SD 427; SD 430; SD 435; SD 439; SD 429; SD 450; SD 625; SD 632; SD 636; SD 650/52; SD 665; SD 675; SD 712; SD 820; SD 820A; SD 835; SD 845; SD 850; SD 855; SD 8CX;

A denial of service issue in HTTPD was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. An attacker without authorization can upload a file to upload.php with a filename longer than 256 bytes. This will be placed in the updownload area. It will not be deleted, because of a buffer overflow in a Bash command string. MicroDigital N-series camera Contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. MicroDigital N-series cameras are IP cameras launched by MicroDigital. MicroDigital N-series cameras have a buffer overflow vulnerability. An attacker could exploit this vulnerability to cause a denial of service

A CSRF issue was discovered in webparam?user&action=set&param=add in HTTPD on MicroDigital N-series cameras with firmware through 6400.0.8.5 to create an admin account. MicroDigital N-series camera Contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MicroDigital N-series cameras is an N-series network camera from South Korean MicroDigital company. MicroDigital N-series cameras have a cross-site request forgery vulnerability. An attacker could use this vulnerability to send an unexpected request to the server through an affected client. The vulnerability stems from the WEB application not adequately verifying that the request is from a trusted user

An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. An attacker can exploit OS Command Injection in the filename parameter for remote code execution as root. This occurs in the Mainproc executable file, which can be run from the HTTPD web server. MicroDigital N-series camera The firmware of OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MicroDigital N-series cameras is an N-series network camera from South Korean MicroDigital company. MicroDigital N-series cameras have an operating system command injection vulnerability. An attacker could use this vulnerability to execute illegal operating system commands. The vulnerability stems from the fact that the network system or product does not correctly filter special characters, commands, etc. in the process of constructing executable commands of the operating system from external input data

An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. SQL injection vulnerabilities exist in 13 forms that are reachable through HTTPD. An attacker can, for example, create an admin account. MicroDigital N-series camera The firmware of SQL An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MicroDigital N-series cameras is an N-series network camera from South Korean MicroDigital company. MicroDigital N-series cameras have a SQL injection vulnerability. An attacker could use this vulnerability to execute illegal SQL commands. The vulnerability stems from the lack of verification of externally input SQL statements in database-based applications

An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. An attacker can trigger read operations on an arbitrary file via Path Traversal in the TZ parameter, but cannot retrieve the data that is read. This causes a denial of service if the filename is, for example, /dev/random. MicroDigital N-series camera Contains a path traversal vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. MICRODIGITAL N-series cameras is an N-series network camera produced by Korea MICRODIGITAL Company. A path traversal vulnerability exists in the 'TZ' parameter in MICRODIGITA N-series cameras using firmware 6400.0.8.5 and earlier. The vulnerability stems from a network system or product that fails to properly filter resources or special elements in file paths. An attacker could exploit this vulnerability to access locations outside of restricted directories

An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. There is disclosure of the existence of arbitrary files via Path Traversal in HTTPD. This occurs because the filename specified in the TZ parameter is accessed with a substantial delay if that file exists. MicroDigital N-series camera Contains a path traversal vulnerability.Information may be obtained. MicroDigital N-series cameras is an N-series network camera from South Korean MicroDigital company. An attacker could use this vulnerability to access locations outside the restricted directory. The vulnerability stems from a network system or product that fails to properly filter resources or special elements in file paths

An Incorrect Access Control issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5 because any valid cookie can be used to make requests as an admin. MicroDigital N-series camera There is an access control vulnerability in the firmware.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MicroDigital N-series cameras is an N-series network camera from South Korean MicroDigital company. MicroDigital N-series cameras have an access control error vulnerability. No detailed vulnerability details are provided at this time. This vulnerability stems from network systems or products not properly restricting access to resources from unauthorized roles

An SSRF issue was discovered in HTTPD on MicroDigital N-series cameras with firmware through 6400.0.8.5 via FTP commands following a newline character in the uploadfile field. MicroDigital N-series camera Contains a server-side request forgery vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. MICRODIGITAL N-series cameras is an N-series network camera produced by Korea MICRODIGITAL Company. This vulnerability stems from improper design or implementation problems in the code development process of network systems or products