VARIoT IoT vulnerabilities database

An exploitable firmware update vulnerability exists in the NT9665X Chipset firmware running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9. The HTTP server could allow an attacker to overwrite the root directory of the server, resulting in a denial of service. An attacker can send an HTTP POST request to trigger this vulnerability. Anker Roav A1 Dashcam Contains a permission vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Novatek NT9665X Chipset is a chip for camera equipment. This vulnerability stems from the lack of authentication measures or insufficient authentication strength in network systems or products

An exploitable denial-of-service vulnerability exists in the XML_GetScreen Wi-Fi command of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9. A specially crafted set of packets can cause an invalid memory dereference, resulting in a device reboot. Anker Roav A1 Dashcam Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Novatek NT9665X Chipset is a chip for camera equipment. The vulnerability stems from the failure of the network system or product to properly validate the input data

An exploitable code execution vulnerability exists in the HTTP request-parsing function of the NT9665X Chipset firmware running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9. A specially crafted packet can cause an unlimited and arbitrary write to memory, resulting in code execution. Anker Roav A1 Dashcam Contains an out-of-bounds vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Novatek NT9665X Chipset is a chip for camera equipment. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc

Missing cross-site request forgery protection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to cause state-changing actions with specially crafted URLs. ASUS RT-AC3200 Contains a cross-site request forgery vulnerability.Information may be tampered with. ASUS RT-AC3200 is a wireless router manufactured by Taiwan ASUS Corporation. The vulnerability stems from the WEB application not adequately verifying that the request is from a trusted user. An attacker could exploit this vulnerability to send unexpected requests to the server through an affected client

An issue was discovered on LG GAMP-7100, GAPM-7200, and GAPM-8000 routers. An unauthenticated user can read a log file via an HTTP request containing its full pathname, such as http://192.168.0.1/var/gapm7100_${today's_date}.log for reading a filename such as gapm7100_190101.log. LG GAMP-7100 , GAPM-7200 , GAPM-8000 The router contains an information disclosure vulnerability.Information may be obtained. LG GAMP-7100 is a router from LG. An unauthorized attacker could use the vulnerability to obtain sensitive information about the affected components. This vulnerability stems from configuration errors in network systems or products during operation

Cross-site scripting in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute JavaScript via the "hook" URL parameter. ASUS RT-AC3200 Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. ASUS RT-AC3200 is a wireless router manufactured by Taiwan ASUS Corporation. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Buffer overflow in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to inject system commands via the "hook" URL parameter. ASUS RT-AC3200 Contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. ASUS RT-AC3200 is a wireless router manufactured by Taiwan ASUS Corporation. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc

On Virgin Media wireless router 3.0 hub devices, the web interface is vulnerable to denial of service. When POST requests are sent and keep the connection open, the router lags and becomes unusable to anyone currently using the web interface. This vulnerability stems from improper management of system resources (such as memory, disk space, files, etc.) by network systems or products

Format string vulnerability in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to read arbitrary sections of memory and CPU registers via the "hook" URL parameter. ASUS RT-AC3200 Contains a format string vulnerability.Information may be obtained and information may be altered. ASUS RT-AC3200 is a wireless router manufactured by Taiwan ASUS Corporation. This vulnerability stems from the lax filtering of parameter types and quantities when network systems or products receive external formatted strings as parameters

Cross-site scripting (XSS) in the web interface of the Xerox ColorQube 8580 allows remote persistent injection of custom HTML / JavaScript code. Xerox ColorQube 8580 Contains a cross-site scripting vulnerability.The information may be obtained and the information may be falsified. Xerox ColorQube 8580 is a multi-function printer produced by Xerox in the United States. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

FourFaith is a provider of IoT wireless communication products and solutions. The FourFaith industrial router has a remote command execution vulnerability that can be exploited by an attacker to log in to the web management interface to execute arbitrary commands with admin privileges.

Century Star configuration software is a blocking software launched by Beijing Century Changqiu Technology Co., Ltd. It is a real-time human-machine interface utility generator, composed of CSMaker development system and CSViewer operating system. The Century Star Menu.ocx control Re *** method has a stack overflow vulnerability. An attacker can trick users who have installed this control to visit malicious webpages, and then trigger the vulnerability, remotely execute malicious code on the user system, and finally gain control of the user system. CSMaker Development system and CSViewer Composition of the operating system

An exploitable firmware update vulnerability exists in the NT9665X Chipset firmware, running on Anker Roav A1 Dashcam version RoavA1SWV1.9. The HTTP server allows for arbitrary firmware binaries to be uploaded which will be flashed upon next reboot. An attacker can send an HTTP PUT request or upgrade firmware request to trigger this vulnerability. Anker Roav A1 Dashcam Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Novatek NT9665X Chipset is a chip for camera equipment. The vulnerability stems from the failure of the network system or product to properly validate the input data

In the /HNAP1/SetWiFiVerifyAlpha message, the WPSPIN parameter is vulnerable, and the vulnerability affects D-Link DIR-822 B1 202KRb06 devices. In the SetWiFiVerifyAlpha.php source code, the WPSPIN parameter is saved in the $rphyinf1."/media/wps/enrollee/pin" and $rphyinf2."/media/wps/enrollee/pin" and $rphyinf3."/media/wps/enrollee/pin" internal configuration memory without any regex checking. And in the do_wps function of the wps.php source code, the data in $rphyinf3."/media/wps/enrollee/pin" is used with the wpatalk command without any regex checking. A vulnerable /HNAP1/SetWiFiVerifyAlpha XML message could have shell metacharacters in the WPSPIN element such as the `telnetd` string. D-Link DIR-822 The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-Link DIR-822 is a wireless router produced by Taiwan D-Link Company. The vulnerability stems from the fact that the network system or product does not correctly filter special characters, commands, etc. in the process of constructing executable commands of the operating system from external input data. Attackers can exploit this vulnerability to execute illegal operating system commands

System command injection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute system commands via the "load_script" URL parameter. ASUS RT-AC3200 Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ASUS RT-AC3200 is a wireless router manufactured by Taiwan ASUS Corporation. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. Attackers can exploit this vulnerability to execute illegal commands

In the /HNAP1/SetQoSSettings message, the uplink parameter is vulnerable, and the vulnerability affects D-Link DIR-822 Rev.B 202KRb06 and DIR-822 Rev.C 3.10B06 devices. In the SetQoSSettings.php source code, the uplink parameter is saved in the /bwc/entry:1/bandwidth and /bwc/entry:2/bandwidth internal configuration memory without any regex checking. And in the bwc_tc_spq_start, bwc_tc_wfq_start, and bwc_tc_adb_start functions of the bwcsvcs.php source code, the data in /bwc/entry:1/bandwidth and /bwc/entry:2/bandwidth is used with the tc command without any regex checking. A vulnerable /HNAP1/SetQoSSettings XML message could have shell metacharacters in the uplink element such as the `telnetd` string. D-Link DIR-822 The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-Link DIR-822 is a wireless router produced by Taiwan D-Link Company. The vulnerability stems from the fact that the network system or product does not correctly filter special characters, commands, etc. in the process of constructing executable commands of the operating system from external input data. Attackers can exploit this vulnerability to execute illegal operating system commands

D-Link DIR-822 Rev.B 202KRb06, DIR-822 Rev.C 3.10B06, DIR-860L Rev.B 2.03.B03, DIR-868L Rev.B 2.05B02, DIR-880L Rev.A 1.20B01_01_i3se_BETA, and DIR-890L Rev.A 1.21B02_BETA devices mishandle IsAccessPoint in /HNAP1/SetAccessPointMode. In the SetAccessPointMode.php source code, the IsAccessPoint parameter is saved in the ShellPath script file without any regex checking. After the script file is executed, the command injection occurs. A vulnerable /HNAP1/SetAccessPointMode XML message could have shell metacharacters in the IsAccessPoint element such as the `telnetd` string. plural D-Link Product devices contain a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-Link DIR-822 and so on are all wireless routers produced by Taiwan D-Link Company. The vulnerability stems from the fact that the network system or product does not correctly filter special characters, commands, etc. in the process of constructing executable commands of the operating system from external input data. Attackers can exploit this vulnerability to execute illegal operating system commands. The following products and versions are affected: D-Link DIR-822 Rev.B 202KRb06; DIR-822 Rev.C 3.10B06; DIR-860L Rev.B 2.03.B03; DIR-868L Rev.B 2.05B02; DIR-880L Rev.A 1.20B01_01_i3se_BETA, version; DIR-890L Rev.A 1.21B02_BETA version

In the /HNAP1/SetRouterSettings message, the RemotePort parameter is vulnerable, and the vulnerability affects D-Link DIR-818LW Rev.A 2.05.B03 and DIR-822 B1 202KRb06 devices. In the SetRouterSettings.php source code, the RemotePort parameter is saved in the $path_inf_wan1."/web" internal configuration memory without any regex checking. And in the IPTWAN_build_command function of the iptwan.php source code, the data in $path_inf_wan1."/web" is used with the iptables command without any regex checking. A vulnerable /HNAP1/SetRouterSettings XML message could have shell metacharacters in the RemotePort element such as the `telnetd` string. DIR-818LW and DIR-822 The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-Link DIR-822 and so on are all wireless routers produced by Taiwan D-Link Company. There is an operating system command injection vulnerability in /HNAP1/SetAccessPointMode in several D-Link products. The vulnerability stems from the fact that the network system or product does not correctly filter special characters, commands, etc. in the process of constructing executable commands of the operating system from external input data. Attackers can exploit this vulnerability to execute illegal operating system commands. The following products and versions are affected: D-Link DIR-822 Rev.B 202KRb06; DIR-822 Rev.C 3.10B06; DIR-860L Rev.B 2.03.B03; DIR-868L Rev.B 2.05B02; DIR-880L Rev.A 1.20B01_01_i3se_BETA, version; DIR-890L Rev.A 1.21B02_BETA version

In the /HNAP1/SetClientInfoDemo message, the AudioMute and AudioEnable parameters are vulnerable, and the vulnerabilities affect D-Link DIR-868L Rev.B 2.05B02 devices. In the SetClientInfoDemo.php source code, the AudioMute and AudioEnble parameters are saved in the ShellPath script file without any regex checking. After the script file is executed, the command injection occurs. It needs to bypass the wget command option with a single quote. A vulnerable /HNAP1/SetClientInfoDemo XML message could have single quotes and backquotes in the AudioMute or AudioEnable element, such as the '`telnetd`' string. D-Link DIR-868L The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-Link DIR-868L is a wireless router made by Taiwan D-Link Company. The vulnerability stems from the fact that the network system or product does not correctly filter special characters, commands, etc. in the process of constructing executable commands of the operating system from external input data. Attackers can exploit this vulnerability to execute illegal operating system commands

A vulnerability in the logic that handles access control to one of the hardware components in Cisco's proprietary Secure Boot implementation could allow an authenticated, local attacker to write a modified firmware image to the component. This vulnerability affects multiple Cisco products that support hardware-based Secure Boot functionality. The vulnerability is due to an improper check on the area of code that manages on-premise updates to a Field Programmable Gate Array (FPGA) part of the Secure Boot hardware implementation. An attacker with elevated privileges and access to the underlying operating system that is running on the affected device could exploit this vulnerability by writing a modified firmware image to the FPGA. A successful exploit could either cause the device to become unusable (and require a hardware replacement) or allow tampering with the Secure Boot verification process, which under some circumstances may allow the attacker to install and boot a malicious software image. An attacker will need to fulfill all the following conditions to attempt to exploit this vulnerability: Have privileged administrative access to the device. Be able to access the underlying operating system running on the device; this can be achieved either by using a supported, documented mechanism or by exploiting another vulnerability that would provide an attacker with such access. Develop or have access to a platform-specific exploit. An attacker attempting to exploit this vulnerability across multiple affected platforms would need to research each one of those platforms and then develop a platform-specific exploit. Although the research process could be reused across different platforms, an exploit developed for a given hardware platform is unlikely to work on a different hardware platform. Cisco's Trust Anchor module (TAm) can be bypassed through manipulating the bitstream of the Field Programmable Gate Array (FPGA). Additionally, Cisco's IOS XE web UI improperly sanitizes user-input, and could allow an authenticated, remote attack to execute commands. An authenticated, remote attacker could execute commands as root on the vulnerable device. A local attacker can leverage this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. This issue is being tracked by Cisco Bug IDsCSCvn77141, CSCvn77142,CSCvn77143,CSCvn77147, CSCvn77150, CSCvn77151, CSCvn77152, CSCvn77153, CSCvn77154, CSCvn77155,CSCvn77156, CSCvn77158, CSCvn77159, CSCvn77160, CSCvn77162, CSCvn77166, CSCvn77167, CSCvn77168, CSCvn77169, CSCvn77170, CSCvn77171, CSCvn77172, CSCvn77175, CSCvn77180, CSCvn77181, CSCvn77182, CSCvn77183, CSCvn77184, CSCvn77185, CSCvn77191, CSCvn77201, CSCvn77202, CSCvn77205, CSCvn77207, CSCvn77209, CSCvn77212, CSCvn77219, CSCvn77220, CSCvn77245, CSCvn77246, CSCvn77248, CSCvn77249, CSCvn89137, CSCvn89138, CSCvn89140, CSCvn89143, CSCvn89144, CSCvn89145, CSCvn89146,CSCvn89150, and CSCvp42792. This vulnerability stems from network systems or products not properly restricting access to resources from unauthorized roles