VARIoT IoT vulnerabilities database

On BIG-IP 11.5.1-11.6.4, iRules performing HTTP header manipulation may cause an interruption to service when processing traffic handled by a Virtual Server with an associated HTTP profile, in specific circumstances, when the requests do not strictly conform to RFCs. BIG-IP Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Multiple F5 BIG-IP Products are prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause a denial of service condition. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4, when the BIG-IP system is licensed with Appliance mode, user accounts with Administrator and Resource Administrator roles can bypass Appliance mode restrictions. BIG-IP Contains vulnerabilities related to authorization, permissions, and access control.Information may be obtained and information may be altered. Multiple F5 BIG-IP Products are prone to a local security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. An attacker could exploit this vulnerability to read and modify arbitrary files on the system. The following products and versions are affected: F5 BIG-IP 11.5.2 to 11.5.9, 11.6.1 to 11.6.4, 12.1.0 to 12.1.4, 13.0.0 to 13.1.1 , version 14.0.0, version 14.1.0

On BIG-IP 14.1.0-14.1.0.5, undisclosed SSL traffic to a virtual server configured with a Client SSL profile may cause TMM to fail and restart. The Client SSL profile must have session tickets enabled and use DHE cipher suites to be affected. This only impacts the data plane, there is no impact to the control plane. BIG-IP Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. A security vulnerability exists in F5 BIG-IP versions 14.1.0.1 to 14.1.0.5, which could be exploited by attackers to disrupt traffic processing

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, undisclosed traffic sent to BIG-IP iSession virtual server may cause the Traffic Management Microkernel (TMM) to restart, resulting in a Denial-of-Service (DoS). BIG-IP Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Multiple F5 BIG-IP Products are prone to a denial-of-service vulnerability. Attackers can exploit this issue to cause a denial of service condition. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4 and BIG-IQ 6.0.0-6.1.0 and 5.1.0-5.4.0, an undisclosed iControl REST worker vulnerable to command injection for an Administrator user. BIG-IP and BIG-IQ Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. F5 BIG-IP is an application delivery platform that integrates the functions of network traffic management, application security management, load balancing and other functions of the F5 company in the United States. There is a command injection vulnerability in F5 BIG-IP and BIG-IQ. This vulnerability originates from the process of constructing executable commands by external input data. Network systems or products do not properly filter special elements. Attackers can use this vulnerability to execute illegal commands. The following products and versions are affected: F5 BIG-IP 14.1.0 to 14.1.0.5, 14.0.0 to 14.0.0.5, 13.0.0 to 13.1.1.4, 12.1.0 to 12.1.4.1 , 11.5.1 to 11.6.4; BIG-IQ 6.0.0 to 6.1.0, 5.1.0 to 5.4.0

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, 11.6.1-11.6.3.4, and 11.5.2-11.5.8 and BIG-IQ 7.0.0-7.1.0.2, 6.0.0-6.1.0, and 5.1.0-5.4.0, an undisclosed iControl REST worker is vulnerable to command injection by an admin/resource admin user. This issue impacts both iControl REST and tmsh implementations. BIG-IP and BIG-IQ Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. A command injection vulnerability exists in F5 BIG-IP and BIG-IQ. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. Attackers can exploit this vulnerability to execute illegal commands. The following products and versions are affected: F5 BIG-IP 14.1.0 to 14.1.0.5, 14.0.0 to 14.0.0.5, 13.0.0 to 13.1.1.4, 12.1.0 to 12.1.4.1 , 11.6.1 to 11.6.3.4, 11.5.1 to 11.5.8; BIG-IQ 6.0.0 to 6.1.0, 5.1.0 to 5.4.0

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4, an undisclosed iControl REST worker is vulnerable to command injection by an administrator or resource administrator user. This attack is only exploitable on multi-bladed systems. BIG-IP Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. A command injection vulnerability exists in the F5 BIG-IP. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. Attackers can exploit this vulnerability to execute illegal commands. The following products and versions are affected: F5 BIG-IP 14.1.0 to 14.1.0.5, 14.0.0 to 14.0.0.5, 13.0.0 to 13.1.1.4, 12.1.0 to 12.1.4.1 , version 11.5.1 to version 11.6.4

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, an undisclosed traffic pattern sent to a BIG-IP UDP virtual server may lead to a denial-of-service (DoS). BIG-IP Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state

Linear eMerge E3-Series devices have Default Credentials. Linear eMerge E3 Series devices contain vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Nortek Security & Control Linear eMerge E3-Series is an access control device from Nortek Security & Control, USA. Nortek Security & Control Linear eMerge E3-Series has a trust management issue vulnerability. An attacker could use this vulnerability to obtain default passwords and identify target systems connected to the network. to attack affected components

Linear eMerge E3-Series devices allow Directory Traversal. Linear eMerge E3 series devices contain a path traversal vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Nortek Security&ControlLineareMergeE3-Series is an access control device from Nortek Security & Control. A path traversal vulnerability exists in the LineareMergeE3-Series device due to a program that failed to properly process sequences such as \342\200\230../\342\200\231. An attacker could exploit the vulnerability to traverse the file system and access files or directories outside of the restrictions

Linear eMerge E3-Series devices allow Unrestricted File Upload. (DoS) It may be in a state. Nortek Security & Control Linear eMerge E3-Series is an access control device from Nortek Security & Control, USA. Nortek Security & Control Linear eMerge E3-Series has a code issue vulnerability. An attacker could use this vulnerability to upload a file with an arbitrary extension to a path in the application's Web root directory and execute the file with Web server permissions

Linear eMerge E3-Series devices allow Cross-Site Request Forgery (CSRF). (DoS) It may be in a state. Nortek Security&Control Linear eMerge E3-Series is an access control device from Nortek Security&Control Company in the United States. The vulnerability stems from the WEB application not adequately verifying that the request is from a trusted user. An attacker could exploit this vulnerability to send unexpected requests to the server through an affected client

Linear eMerge E3-Series devices have Hard-coded Credentials. Linear eMerge E3 series devices contain a vulnerability related to the use of hardcoded credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Nortek Security & Control Linear eMerge E3-Series is an access control device from Nortek Security & Control, USA. Nortek Security & Control Linear eMerge E3-Series has a trust management issue vulnerability. An attacker could use this vulnerability to bypass authentication detection

Linear eMerge E3-Series devices allow Authorization Bypass with Information Disclosure. (DoS) It may be in a state. Nortek Security & Control Linear eMerge E3-Series is an access control device from Nortek Security & Control, USA. An attacker can use the GET request to exploit the vulnerability to bypass authorization, obtain management credentials, log in again with admin permissions, and gain full access to the control interface

Linear eMerge E3-Series devices allow Privilege Escalation. Linear eMerge E3 Series devices contain vulnerabilities related to authorization, privileges, and access control.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Nortek Security & Control Linear eMerge E3-Series is an access control device from Nortek Security & Control, USA. Nortek Security & Control Linear eMerge E3-Series has a permission permission and access control problem vulnerability. An attacker could use this vulnerability to elevate to superuser privileges

Linear eMerge E3-Series devices allow XSS. Linear eMerge E3 series devices contain a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Nortek Security&ControlLineareMergeE3-Series is an access control device from Nortek Security & Control. A cross-site scripting vulnerability exists in LineareMergeE3-Series. The vulnerability stems from the lack of proper validation of client data for web applications. An attacker could exploit the vulnerability to execute client code

On BIG-IP (ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, Application logic abuse of ASM REST endpoints can lead to instability of BIG-IP system. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary processes. The attack requires an authenticated user with role of "Guest" or greater privilege. Note: "No Access" cannot login so technically it's a role but a user with this access role cannot perform the attack. BIG-IP (ASM) Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5 BIG-IP ASM is prone to a denial-of-service vulnerability. F5 BIG-IP Application Security Manager (ASM) is a Web Application Firewall (WAF) of F5 Corporation in the United States, which provides secure remote access, protects email, simplifies Web access control, and enhances network and application performance. An attacker can exploit this vulnerability to consume a large amount of memory and terminate arbitrary processes. The following products and versions are affected: F5 BIG-IP ASM version 14.1.0 to 14.1.0.5, 14.0.0 to 14.0.0.4, 13.0.0 to 13.1.1.4, 12.1.0 to 12.1.4 Version

An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11. There is a command injection in apply.cgi (exploitable with authentication) via the TCP Ports To Open in Add Gaming Rule. TRENDnet TEW-827DRU The firmware contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TRENDnet TEW-827DRU is a wireless router from TRENDnet. A command injection vulnerability exists in the apply.cgi file in the TRENDnet TEW-827DRU with firmware prior to 2.05B11. The vulnerability stems from the fact that external input data constructs executable commands, and the network system or product does not properly filter the special elements. An attacker could exploit the vulnerability to execute an illegal command

An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11. There is a command injection in apply.cgi (exploitable with authentication) via the IP Address in Add Gaming Rule. TRENDnet TEW-827DRU The firmware contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TRENDnetTEW-827DRU is a wireless router from TRENDnet. A command injection vulnerability exists in the apply.cgi file in the TRENDnetTEW-827DRU with firmware prior to 2.05B11. The vulnerability stems from the fact that external input data constructs executable commands, and the network system or product does not properly filter the special elements. An attacker could exploit the vulnerability to execute an illegal command

An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11. There is a command injection in apply.cgi (exploitable with authentication) via the key passwd in Routing RIP Settings. TRENDnet TEW-827DRU The firmware contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TRENDnet TEW-827DRU is a wireless router from TRENDnet. A command injection vulnerability exists in the apply.cgi file in the TRENDnet TEW-827DRU with firmware prior to 2.05B11. The vulnerability stems from the fact that external input data constructs executable commands, and the network system or product does not properly filter the special elements. An attacker could exploit the vulnerability to execute an illegal command