VARIoT IoT vulnerabilities database
| VAR-201908-0068 | CVE-2019-3418 | ZTE ZXHN F670 Cross-Site Scripting Vulnerability |
CVSS V2: 3.5 CVSS V3: 5.4 Severity: MEDIUM |
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by cross-site scripting vulnerability (XSS). Due to incomplete input validation, an authorized user can exploit this vulnerability to execute malicious scripts. ZTE ZXHN F670 is a modem from China ZTE Corporation (ZTE). The vulnerability stems from the lack of correct validation of client data in WEB applications
| VAR-201908-2052 | No CVE | Advantech WebAccess has remote code execution vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Advantech WebAccess / SCADA is a set of SCADA software based on browser architecture by Advantech of Taiwan, China.
Advantech WebAccess has a remote code execution vulnerability. An attacker could use the vulnerability to obtain server information and permissions
| VAR-201908-2051 | No CVE | Advantech WebAccess has arbitrary file deletion vulnerability |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
Advantech WebAccess / SCADA is a set of SCADA software based on browser architecture by Advantech of Taiwan, China.
Advantech WebAccess has an arbitrary file deletion vulnerability. Attackers can use the vulnerability to delete arbitrary files
| VAR-201908-2053 | No CVE | Siemens SIMATIC S7-300 PLC Permission Permission Vulnerability |
CVSS V2: 6.1 CVSS V3: - Severity: MEDIUM |
The Siemens SIMATIC S7-300 CPU is a modular universal controller for the manufacturing industry from Siemens.
The Siemens SIMATIC S7-300 PLC module is not authorized to bypass the execution of CPU attack vulnerabilities. The attacker can construct a special application layer data message, which causes arbitrary start and stop control of the PLC
| VAR-201908-2055 | No CVE | The Delta ISPSoft isp project file has a memory corruption vulnerability |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
ISPSoft is a new generation of Delta PLC programming software.
Delta ISPSoft has a memory corruption vulnerability when processing isp project files. Attackers can trick users who install ISPSoft into opening malicious isp files, which triggers loopholes and denies service
| VAR-201908-1942 | CVE-2019-11162 | Intel Multiple vulnerabilities in the product |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
Insufficient access control in hardware abstraction in SEMA driver for Intel(R) Computing Improvement Program before version 2.4.0.04733 may allow an authenticated user to potentially enable escalation of privilege, denial of service or information disclosure via local access. Intel Computing Improvement Program is a software improvement program application program of Intel Corporation. This program is used to collect computer function usage information, component usage information, operating system information, etc. A local attacker could exploit this vulnerability to elevate privileges, cause denial of service or disclose information
| VAR-201908-1945 | CVE-2019-11148 | Intel Multiple vulnerabilities in the product |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
Improper permissions in the installer for Intel(R) Remote Displays SDK before version 2.0.1 R2 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel Remote Displays SDK is a remote processing software development kit (SDK) of Intel Corporation. The product enables low-latency capture, compression, decompression, and configuration of virtual displays. A local attacker could exploit this vulnerability to elevate privileges
| VAR-201908-1941 | CVE-2019-11145 | Intel Multiple vulnerabilities in the product |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
Improper file verification in IntelĀ® Driver & Support Assistant before 19.7.30.2 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel Driver & Support Assistant is an Intel driver and support management tool from Intel Corporation. This tool is mainly used to get the latest applications provided by Intel. An authorization issue vulnerability exists in Intel Driver & Support Assistant versions prior to 19.7.30.2. The vulnerability is caused by the program not properly validating files. A local attacker could exploit this vulnerability to elevate privileges
| VAR-201908-1944 | CVE-2019-11146 | Intel Multiple vulnerabilities in the product |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
Improper file verification in IntelĀ® Driver & Support Assistant before 19.7.30.2 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel Driver & Support Assistant is an Intel driver and support management tool from Intel Corporation. This tool is mainly used to get the latest applications provided by Intel. An authorization issue vulnerability exists in Intel Driver & Support Assistant versions prior to 19.7.30.2. The vulnerability is caused by the program not properly validating files. A local attacker could exploit this vulnerability to elevate privileges
| VAR-201908-1940 | CVE-2019-11143 | Intel Multiple vulnerabilities in the product |
CVSS V2: 4.6 CVSS V3: 6.7 Severity: MEDIUM |
Improper permissions in the software installer for Intel(R) Authenticate before 3.8 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel Authenticate is a set of multi-factor authentication software from Intel Corporation of the United States. An authorization issue vulnerability exists in the software installer in versions prior to Intel Authenticate 3.8. A local attacker could exploit this vulnerability to elevate privileges
| VAR-201908-1943 | CVE-2019-11163 | Intel Multiple vulnerabilities in the product |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
Insufficient access control in a hardware abstraction driver for Intel(R) Processor Identification Utility for Windows before version 6.1.0731 may allow an authenticated user to potentially enable escalation of privilege, denial of service or information disclosure via local access. Intel Processor Identification Utility is a processor identification utility developed by Intel Corporation. The program supports displaying graphics information, chipset information, technologies supported by the processor, and other information. A local attacker could exploit this vulnerability to elevate privileges, cause denial of service or disclose information
| VAR-201908-1608 | CVE-2019-0173 | Intel Multiple vulnerabilities in the product |
CVSS V2: 5.8 CVSS V3: 7.6 Severity: HIGH |
Authentication bypass in the web console for Intel(R) Raid Web Console 2 all versions may allow an unauthenticated attacker to potentially enable disclosure of information via network access. Intel Raid Web Console 2 is a web-based application program of Intel Corporation that provides monitoring, maintenance, troubleshooting and configuration functions for Intel RAID products. An attacker could exploit this vulnerability to disclose information
| VAR-201908-0730 | CVE-2019-15105 | Zoho ManageEngine Application Manager In SQL Injection vulnerability |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: HIGH |
An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. Zoho ManageEngine Application Manager Is SQL An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This system is mainly used to monitor server and application performance. An attacker could use this vulnerability to execute illegal SQL commands
| VAR-201908-0731 | CVE-2019-15106 | Zoho ManageEngine OpManager Vulnerabilities related to authorization, permissions, and access control |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm. Zoho ManageEngine OpManager Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Zoho ManageEngine OpManager is a set of network, server and virtualization monitoring software from Zoho.
Zoho ManageEngine OpManager is vulnerable to permission permission and access control issues
| VAR-201908-0729 | CVE-2019-15104 | Zoho ManageEngine OpManager In SQL Injection vulnerability |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: HIGH |
An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. Zoho ManageEngine OpManager In SQL An injection vulnerability exists.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Zoho ManageEngine OpManager is a set of network, server and virtualization monitoring software from Zoho. An attacker could use this vulnerability to execute illegal SQL commands
| VAR-201908-0866 | CVE-2019-13514 | Delta Electronics Industrial Automation DOPSoft Resource Management Error Vulnerability |
CVSS V2: 6.8 CVSS V3: 7.8 Severity: HIGH |
In Delta Industrial Automation DOPSoft, Version 4.00.06.15 and prior, processing a specially crafted project file may trigger a use-after-free vulnerability, which may allow information disclosure, remote code execution, or crash of the application. Delta Industrial Automation DOPSoft Contains a vulnerability in the use of freed memory.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of DPA files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Delta Electronics Industrial Automation DOPSoft is a set of human-machine interface (HMI) software from Taiwan's Delta Electronics (Delta Electronics) company
| VAR-201908-0257 | CVE-2019-9583 | eQ-3 Homematic CCU2 and CCU3 Vulnerable to resource exhaustion |
CVSS V2: 6.4 CVSS V3: 8.2 Severity: HIGH |
eQ-3 Homematic CCU2 and CCU3 obtain session IDs without login. This allows a Denial of Service and is a starting point for other attacks. Affected versions for CCU2: 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15. Affected versions for CCU3: 3.41.11, 3.43.16, 3.45.5, 3.45.7, 3.47.10, 3.47.15. eQ-3 Homematic CCU2 and CCU3 Contains a resource exhaustion vulnerability.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. Both eQ-3 Homematic CCU3 and eQ-3 Homematic CCU2 are central control units of a smart home system produced by German eQ-3 company. A resource management error vulnerability exists in the eQ-3 Homematic CCU2 and eQ-3 Homematic CCU3. The following products and versions are affected: eQ-3 Homematic CCU2 Version 2.35.16, Version 2.41.5, Version 2.41.8, Version 2.41.9, Version 2.45.6, Version 2.45.7, Version 2.47.10, Version 2.47.12 Version, version 2.47.15; eQ-3 Homematic CCU3 version 3.41.11, version 3.43.16, version 3.45.5, version 3.45.7, version 3.47.10, version 3.47.15
| VAR-201908-1065 | CVE-2016-10880 | WordPress for google-document-embedder Plug-in vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: 6.1 Severity: MEDIUM |
The google-document-embedder plugin before 2.6.1 for WordPress has XSS. WordPress for google-document-embedder The plug-in contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. WordPress is a blogging platform developed by the WordPress Foundation using PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. google-document-embedder is one of the plug-ins used to add files to pages and provide download links. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code
| VAR-201908-0256 | CVE-2019-9582 | eQ-3 Homematic CCU2 Vulnerable to resource exhaustion |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
eQ-3 Homematic CCU2 outdated base software packages allows Denial of Service. CCU2 affected versions: 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15. eQ-3 Homematic CCU2 Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. eQ-3 HomeMatic CCU2 is a central control unit of a smart home system produced by German eQ-3 company. A resource management error vulnerability exists in the eQ-3 Homematic CCU2. An attacker could exploit this vulnerability to cause a denial of service
| VAR-201908-0258 | CVE-2019-9584 | eQ-3 Homematic CCU2 and CCU3 Access control vulnerability |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN service configuration. This is related to improper access control for all /addons/mh/ pages. eQ-3 Homematic CCU2 and CCU3 Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both eQ-3 Homematic CCU3 and eQ-3 Homematic CCU2 are central control units of a smart home system produced by German eQ-3 company. This vulnerability stems from network systems or products not properly restricting access to resources from unauthorized roles