VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-201908-0068 CVE-2019-3418 ZTE ZXHN F670 Cross-Site Scripting Vulnerability CVSS V2: 3.5
CVSS V3: 5.4
Severity: MEDIUM
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by cross-site scripting vulnerability (XSS). Due to incomplete input validation, an authorized user can exploit this vulnerability to execute malicious scripts. ZTE ZXHN F670 is a modem from China ZTE Corporation (ZTE). The vulnerability stems from the lack of correct validation of client data in WEB applications
VAR-201908-2052 No CVE Advantech WebAccess has remote code execution vulnerability CVSS V2: 7.2
CVSS V3: -
Severity: HIGH
Advantech WebAccess / SCADA is a set of SCADA software based on browser architecture by Advantech of Taiwan, China. Advantech WebAccess has a remote code execution vulnerability. An attacker could use the vulnerability to obtain server information and permissions
VAR-201908-2051 No CVE Advantech WebAccess has arbitrary file deletion vulnerability CVSS V2: 4.9
CVSS V3: -
Severity: MEDIUM
Advantech WebAccess / SCADA is a set of SCADA software based on browser architecture by Advantech of Taiwan, China. Advantech WebAccess has an arbitrary file deletion vulnerability. Attackers can use the vulnerability to delete arbitrary files
VAR-201908-2053 No CVE Siemens SIMATIC S7-300 PLC Permission Permission Vulnerability CVSS V2: 6.1
CVSS V3: -
Severity: MEDIUM
The Siemens SIMATIC S7-300 CPU is a modular universal controller for the manufacturing industry from Siemens. The Siemens SIMATIC S7-300 PLC module is not authorized to bypass the execution of CPU attack vulnerabilities. The attacker can construct a special application layer data message, which causes arbitrary start and stop control of the PLC
VAR-201908-2055 No CVE The Delta ISPSoft isp project file has a memory corruption vulnerability CVSS V2: 4.9
CVSS V3: -
Severity: MEDIUM
ISPSoft is a new generation of Delta PLC programming software. Delta ISPSoft has a memory corruption vulnerability when processing isp project files. Attackers can trick users who install ISPSoft into opening malicious isp files, which triggers loopholes and denies service
VAR-201908-1942 CVE-2019-11162 Intel Multiple vulnerabilities in the product CVSS V2: 4.6
CVSS V3: 7.8
Severity: HIGH
Insufficient access control in hardware abstraction in SEMA driver for Intel(R) Computing Improvement Program before version 2.4.0.04733 may allow an authenticated user to potentially enable escalation of privilege, denial of service or information disclosure via local access. Intel Computing Improvement Program is a software improvement program application program of Intel Corporation. This program is used to collect computer function usage information, component usage information, operating system information, etc. A local attacker could exploit this vulnerability to elevate privileges, cause denial of service or disclose information
VAR-201908-1945 CVE-2019-11148 Intel Multiple vulnerabilities in the product CVSS V2: 4.6
CVSS V3: 7.8
Severity: HIGH
Improper permissions in the installer for Intel(R) Remote Displays SDK before version 2.0.1 R2 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel Remote Displays SDK is a remote processing software development kit (SDK) of Intel Corporation. The product enables low-latency capture, compression, decompression, and configuration of virtual displays. A local attacker could exploit this vulnerability to elevate privileges
VAR-201908-1941 CVE-2019-11145 Intel Multiple vulnerabilities in the product CVSS V2: 4.6
CVSS V3: 7.8
Severity: HIGH
Improper file verification in IntelĀ® Driver & Support Assistant before 19.7.30.2 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel Driver & Support Assistant is an Intel driver and support management tool from Intel Corporation. This tool is mainly used to get the latest applications provided by Intel. An authorization issue vulnerability exists in Intel Driver & Support Assistant versions prior to 19.7.30.2. The vulnerability is caused by the program not properly validating files. A local attacker could exploit this vulnerability to elevate privileges
VAR-201908-1944 CVE-2019-11146 Intel Multiple vulnerabilities in the product CVSS V2: 4.6
CVSS V3: 7.8
Severity: HIGH
Improper file verification in IntelĀ® Driver & Support Assistant before 19.7.30.2 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel Driver & Support Assistant is an Intel driver and support management tool from Intel Corporation. This tool is mainly used to get the latest applications provided by Intel. An authorization issue vulnerability exists in Intel Driver & Support Assistant versions prior to 19.7.30.2. The vulnerability is caused by the program not properly validating files. A local attacker could exploit this vulnerability to elevate privileges
VAR-201908-1940 CVE-2019-11143 Intel Multiple vulnerabilities in the product CVSS V2: 4.6
CVSS V3: 6.7
Severity: MEDIUM
Improper permissions in the software installer for Intel(R) Authenticate before 3.8 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel Authenticate is a set of multi-factor authentication software from Intel Corporation of the United States. An authorization issue vulnerability exists in the software installer in versions prior to Intel Authenticate 3.8. A local attacker could exploit this vulnerability to elevate privileges
VAR-201908-1943 CVE-2019-11163 Intel Multiple vulnerabilities in the product CVSS V2: 4.6
CVSS V3: 7.8
Severity: HIGH
Insufficient access control in a hardware abstraction driver for Intel(R) Processor Identification Utility for Windows before version 6.1.0731 may allow an authenticated user to potentially enable escalation of privilege, denial of service or information disclosure via local access. Intel Processor Identification Utility is a processor identification utility developed by Intel Corporation. The program supports displaying graphics information, chipset information, technologies supported by the processor, and other information. A local attacker could exploit this vulnerability to elevate privileges, cause denial of service or disclose information
VAR-201908-1608 CVE-2019-0173 Intel Multiple vulnerabilities in the product CVSS V2: 5.8
CVSS V3: 7.6
Severity: HIGH
Authentication bypass in the web console for Intel(R) Raid Web Console 2 all versions may allow an unauthenticated attacker to potentially enable disclosure of information via network access. Intel Raid Web Console 2 is a web-based application program of Intel Corporation that provides monitoring, maintenance, troubleshooting and configuration functions for Intel RAID products. An attacker could exploit this vulnerability to disclose information
VAR-201908-0730 CVE-2019-15105 Zoho ManageEngine Application Manager In SQL Injection vulnerability CVSS V2: 9.0
CVSS V3: 8.8
Severity: HIGH
An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. Zoho ManageEngine Application Manager Is SQL An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This system is mainly used to monitor server and application performance. An attacker could use this vulnerability to execute illegal SQL commands
VAR-201908-0731 CVE-2019-15106 Zoho ManageEngine OpManager Vulnerabilities related to authorization, permissions, and access control CVSS V2: 7.5
CVSS V3: 9.8
Severity: CRITICAL
An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm. Zoho ManageEngine OpManager Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Zoho ManageEngine OpManager is a set of network, server and virtualization monitoring software from Zoho. Zoho ManageEngine OpManager is vulnerable to permission permission and access control issues
VAR-201908-0729 CVE-2019-15104 Zoho ManageEngine OpManager In SQL Injection vulnerability CVSS V2: 9.0
CVSS V3: 8.8
Severity: HIGH
An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. Zoho ManageEngine OpManager In SQL An injection vulnerability exists.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Zoho ManageEngine OpManager is a set of network, server and virtualization monitoring software from Zoho. An attacker could use this vulnerability to execute illegal SQL commands
VAR-201908-0866 CVE-2019-13514 Delta Electronics Industrial Automation DOPSoft Resource Management Error Vulnerability CVSS V2: 6.8
CVSS V3: 7.8
Severity: HIGH
In Delta Industrial Automation DOPSoft, Version 4.00.06.15 and prior, processing a specially crafted project file may trigger a use-after-free vulnerability, which may allow information disclosure, remote code execution, or crash of the application. Delta Industrial Automation DOPSoft Contains a vulnerability in the use of freed memory.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of DPA files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Delta Electronics Industrial Automation DOPSoft is a set of human-machine interface (HMI) software from Taiwan's Delta Electronics (Delta Electronics) company
VAR-201908-0257 CVE-2019-9583 eQ-3 Homematic CCU2 and CCU3 Vulnerable to resource exhaustion CVSS V2: 6.4
CVSS V3: 8.2
Severity: HIGH
eQ-3 Homematic CCU2 and CCU3 obtain session IDs without login. This allows a Denial of Service and is a starting point for other attacks. Affected versions for CCU2: 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15. Affected versions for CCU3: 3.41.11, 3.43.16, 3.45.5, 3.45.7, 3.47.10, 3.47.15. eQ-3 Homematic CCU2 and CCU3 Contains a resource exhaustion vulnerability.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. Both eQ-3 Homematic CCU3 and eQ-3 Homematic CCU2 are central control units of a smart home system produced by German eQ-3 company. A resource management error vulnerability exists in the eQ-3 Homematic CCU2 and eQ-3 Homematic CCU3. The following products and versions are affected: eQ-3 Homematic CCU2 Version 2.35.16, Version 2.41.5, Version 2.41.8, Version 2.41.9, Version 2.45.6, Version 2.45.7, Version 2.47.10, Version 2.47.12 Version, version 2.47.15; eQ-3 Homematic CCU3 version 3.41.11, version 3.43.16, version 3.45.5, version 3.45.7, version 3.47.10, version 3.47.15
VAR-201908-1065 CVE-2016-10880 WordPress for google-document-embedder Plug-in vulnerable to cross-site scripting CVSS V2: 4.3
CVSS V3: 6.1
Severity: MEDIUM
The google-document-embedder plugin before 2.6.1 for WordPress has XSS. WordPress for google-document-embedder The plug-in contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. WordPress is a blogging platform developed by the WordPress Foundation using PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. google-document-embedder is one of the plug-ins used to add files to pages and provide download links. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code
VAR-201908-0256 CVE-2019-9582 eQ-3 Homematic CCU2 Vulnerable to resource exhaustion CVSS V2: 7.8
CVSS V3: 7.5
Severity: HIGH
eQ-3 Homematic CCU2 outdated base software packages allows Denial of Service. CCU2 affected versions: 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15. eQ-3 Homematic CCU2 Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. eQ-3 HomeMatic CCU2 is a central control unit of a smart home system produced by German eQ-3 company. A resource management error vulnerability exists in the eQ-3 Homematic CCU2. An attacker could exploit this vulnerability to cause a denial of service
VAR-201908-0258 CVE-2019-9584 eQ-3 Homematic CCU2 and CCU3 Access control vulnerability CVSS V2: 7.5
CVSS V3: 9.8
Severity: CRITICAL
eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN service configuration. This is related to improper access control for all /addons/mh/ pages. eQ-3 Homematic CCU2 and CCU3 Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both eQ-3 Homematic CCU3 and eQ-3 Homematic CCU2 are central control units of a smart home system produced by German eQ-3 company. This vulnerability stems from network systems or products not properly restricting access to resources from unauthorized roles