VARIoT IoT vulnerabilities database

Linear eMerge E3-Series devices have a Version Control Failure. Linear eMerge E3 Series devices contain source code vulnerabilities.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability stems from improper design or implementation problems in the code development process of network systems or products

Possible integer underflow due to lack of validation before calculation of data length in 802.11 Rx management configuration in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6174A, QCA6574AU, QCA9377, QCA9379, QCS405, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 625, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM630, SDM660, SDX20, SDX24. plural Snapdragon The product contains an out-of-bounds vulnerability and an integer underflow vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm Components are prone to an integer-underflow vulnerability because they fail to sufficiently validate an integer value. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploits may result in denial-of-service conditions. This issue is being tracked by Android Bug ID A-129850941. Qualcomm MDM9206 and others are products of Qualcomm (Qualcomm). MDM9206 is a central processing unit (CPU) product. MDM9607 is a central processing unit (CPU) product. SDX20 is a modem. Numerical error vulnerabilities exist in several Qualcomm products. The vulnerability stems from incorrect calculations or conversions of numbers generated by networked systems or products. Attackers can exploit this vulnerability to cause integer overflow or sign error, etc

Data token is received from ADSP and is used without validation as an index into the array leads to out of bound access in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24. plural Snapdragon The product contains a vulnerability related to array index validation.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm MDM9206 and others are products of Qualcomm (Qualcomm). MDM9206 is a central processing unit (CPU) product. MDM9607 is a central processing unit (CPU) product. SDX20 is a modem. An input validation error vulnerability exists in the audio drivers in several Qualcomm products. The vulnerability stems from the failure of the network system or product to properly validate the input data

User application could potentially make RPC call to the fastrpc driver and the driver will allow the message to go through to the remote subsystem in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9607, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24. plural Snapdragon The product contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm MDM9607 and others are products of Qualcomm (Qualcomm). MDM9607 is a central processing unit (CPU) product. MDM9650 is a central processing unit (CPU) product. SDX20 is a modem. The DSP Service in several Qualcomm products has permissions and access control vulnerabilities. The vulnerability stems from the lack of effective permissions and access control measures in network systems or products

Possible buffer overflow when number of channels passed is more than size of channel mapping array in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 600, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24. plural Snapdragon The product contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Qualcomm MDM9206 and others are products of Qualcomm (Qualcomm). MDM9206 is a central processing unit (CPU) product. MDM9607 is a central processing unit (CPU) product. SDX20 is a modem. A buffer error vulnerability exists in the audio drivers in several Qualcomm products. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc

improper input validation in allocation request for secure allocations can lead to page fault. in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in IPQ4019, IPQ8064, IPQ8074, MDM9150, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24. plural Snapdragon The product contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Qualcomm MDM9640, etc. are all products of Qualcomm. MDM9640 is a central processing unit (CPU) product. MDM9650 is a central processing unit (CPU) product. SDX20 is a modem. The Kernel in many Qualcomm products has an input validation error vulnerability. The vulnerability stems from the fact that the network system or product did not correctly verify the input data. No detailed vulnerability details are currently available

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, a high volume of malformed analytics report requests leads to instability in restjavad process. This causes issues with both iControl REST and some portions of TMUI. The attack requires an authenticated user with any role. BIG-IP Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Multiple F5 BIG-IP Products are prone to a denial-of-service vulnerability. An attacker can exploit this issue to crash the process, denying service to legitimate users. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. Attackers can exploit this vulnerability to interrupt services by requesting a large number of malformed analysis reports

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, under certain circumstances, attackers can decrypt configuration items that are encrypted because the vCMP configuration unit key is generated with insufficient randomness. The attack prerequisite is direct access to encrypted configuration and/or UCS files. BIG-IP Contains a cryptographic vulnerability.Information may be obtained. Multiple F5 BIG-IP Products are prone to a local information-disclosure vulnerability. Successfully exploiting this issue may allow attackers to obtain sensitive information. This may lead to other attacks. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5

On BIG-IP (AFM, PEM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, an undisclosed TMUI pages for AFM and PEM Subscriber management are vulnerable to a stored cross-site scripting (XSS) issue. This is a control plane issue only and is not accessible from the data plane. The attack requires a malicious resource administrator to store the XSS. Multiple F5 BIG-IP Products are prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code. The following products and versions are affected: F5 BIG-IP AFM version 11.5.0 to 11.5.8, version 11.6.0 to 11.6.3, version 12.1.0 to 12.1.4, version 13.0.0 to 13.1.1, version 14.0. 0 to 14.1.0 versions; F5 BIG-IP PEM versions 11.5.0 to 11.5.8, 11.6.0 to 11.6.3 versions, 12.1.0 to 12.1.4 versions, 13.0.0 to 13.1.1 versions, 14.0. 0 to version 14.1.0

On BIG-IP (AFM, Analytics, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.3.4, A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI), also known as the Configuration utility. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code. The following products and versions are affected: F5 BIG-IP AFM from version 14.1.0 to version 14.1.0.5, version 14.0.0 to version 14.0.0.4, version 13.0.0 to version 13.1.1.4, version 12.1.0 to version 12.1.4 Versions, 11.5.1 to 11.6.3.4; BIG-IP Analytics 14.1.0 to 14.1.0.5, 14.0.0 to 14.0.0.4, 13.0.0 to 13.1.1.4, 12.1.0 to version 12.1.4, version 11.5.1 to version 11.6.3.4; BIG-IP ASM version 14.1.0 to version 14.1.0.5, version 14.0.0 to version 14.0.0.4, version 13.0.0 to version 13.1.1.4, Version 12.1.0 to version 12.1.4, version 11.5.1 to version 11.6.3.4

On BIG-IP 12.1.0-12.1.4.1, undisclosed requests can cause iControl REST processes to crash. The attack can only come from an authenticated user; all roles are capable of performing the attack. Unauthenticated users cannot perform this attack. BIG-IP Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Multiple F5 BIG-IP Products are prone to a denial-of-service vulnerability. An attacker can exploit this issue to crash the process, denying service to legitimate users. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5

On BIG-IP (AFM, ASM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a stored cross-site scripting vulnerability in AFM feed list. In the worst case, an attacker can store a CSRF which results in code execution as the admin user. The level of user role which can perform this attack are resource administrator and administrator. BIG-IP (AFM , ASM) Contains a cross-site scripting vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Multiple F5 BIG-IP Products are prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code. The following products and versions are affected: F5 BIG-IP AFM from version 14.1.0 to version 14.1.0.5, version 14.0.0 to version 14.0.0.4, version 13.0.0 to version 13.1.1.4, version 12.1.0 to version 12.1.4 Version, 11.5.1 to 11.6.4

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, SNMP exposes sensitive configuration objects over insecure transmission channels. This issue is exposed when a passphrase is inserted into various profile types and accessed using SNMPv2. BIG-IP Contains an information disclosure vulnerability.Information may be obtained. Multiple F5 BIG-IP Products are prone to an information-disclosure vulnerability. Successfully exploiting this issue may allow attackers to obtain sensitive information. This may lead to other attacks. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. An attacker could exploit this vulnerability to obtain the passphrase used in the configuration file. The following products and versions are affected: F5 BIG-IP 11.6.1 to 11.6.3, 11.5.1 to 11.5.8, 12.1.0 to 12.1.4, 13.0.0 to 13.1.1 , 14.1.0 version to 14.1.0.5 version, 14.0.0 version to 14.0.0.4 version

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, when the BIG-IP system is licensed for Appliance mode, a user with either the Administrator or the Resource Administrator role can bypass Appliance mode restrictions. BIG-IP Contains an access control vulnerability.Information may be tampered with. Multiple F5 BIG-IP Products are prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. A security vulnerability exists in the F5 BIG-IP that could allow a local attacker to overwrite arbitrary files. The following products and versions are affected: F5 BIG-IP versions 11.5.2 to 11.5.8, 11.6.1 to 11.6.3, 12.1.0 to 12.1.4, 13.0.0 to 13.1.1, 14.0.0 Version, version 14.1.0

On BIG-IP 14.1.0-14.1.0.5 and 14.0.0-14.0.0.4, Malformed http requests made to an undisclosed iControl REST endpoint can lead to infinite loop of the restjavad process. BIG-IP Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Multiple F5 BIG-IP Products are prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause a denial of service condition. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. A security vulnerability exists in BIG-IP versions 14.1.0 through 14.1.0.5 and 14.0.0 through 14.0.0.4

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI) also known as the BIG-IP Configuration utility. BIG-IP Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered

On BIG-IP 11.5.1-11.6.4, iRules performing HTTP header manipulation may cause an interruption to service when processing traffic handled by a Virtual Server with an associated HTTP profile, in specific circumstances, when the requests do not strictly conform to RFCs. BIG-IP Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Multiple F5 BIG-IP Products are prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause a denial of service condition. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4, when the BIG-IP system is licensed with Appliance mode, user accounts with Administrator and Resource Administrator roles can bypass Appliance mode restrictions. BIG-IP Contains vulnerabilities related to authorization, permissions, and access control.Information may be obtained and information may be altered. Multiple F5 BIG-IP Products are prone to a local security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. An attacker could exploit this vulnerability to read and modify arbitrary files on the system. The following products and versions are affected: F5 BIG-IP 11.5.2 to 11.5.9, 11.6.1 to 11.6.4, 12.1.0 to 12.1.4, 13.0.0 to 13.1.1 , version 14.0.0, version 14.1.0

On BIG-IP 14.1.0-14.1.0.5, undisclosed SSL traffic to a virtual server configured with a Client SSL profile may cause TMM to fail and restart. The Client SSL profile must have session tickets enabled and use DHE cipher suites to be affected. This only impacts the data plane, there is no impact to the control plane. BIG-IP Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. A security vulnerability exists in F5 BIG-IP versions 14.1.0.1 to 14.1.0.5, which could be exploited by attackers to disrupt traffic processing

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, undisclosed traffic sent to BIG-IP iSession virtual server may cause the Traffic Management Microkernel (TMM) to restart, resulting in a Denial-of-Service (DoS). BIG-IP Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Multiple F5 BIG-IP Products are prone to a denial-of-service vulnerability. Attackers can exploit this issue to cause a denial of service condition. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5