VARIoT IoT vulnerabilities database

The Web manager (aka Commander) on Korenix JetPort 5601 and 5601f devices has Persistent XSS via the Port Alias field under Serial Setting. The web management page in Korenix JetPort 5601 and 5601f has a cross-site scripting vulnerability

In BIG-IP 13.0.0-13.1.1.1, 12.1.0-12.1.3.7, 11.6.1-11.6.3.2, or 11.5.1-11.5.8 or Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced. plural F5 The product contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. A command injection vulnerability exists in the traffic management user interface in F5 BIG-IP. A remote attacker could exploit this vulnerability to elevate privileges. The following products and versions are affected: F5 BIG-IP version 13.0.0 to 13.1.1.1, 12.1.0 to 12.1.3.7, 11.6.1 to 11.6.3.2, 11.5.1 to 11.5.8 ; Enterprise Manager version 3.1.1

In BIG-IP 13.0.0, 12.1.0-12.1.3.7, 11.6.1-11.6.3.2, or 11.5.1-11.5.8, the Application Acceleration Manager (AAM) wamd process used in processing of images and PDFs fails to drop group permissions when executing helper scripts. BIG-IP Application Acceleration Manager (AAM) Contains a permission vulnerability.Information may be obtained. F5 BIG-IP AAM is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to obtain sensitive information. Information obtained may lead to further attacks. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. The following versions are affected: F5 BIG-IP Version 13.0.0, Version 12.1.0 to Version 12.1.3.7, Version 11.6.1 to Version 11.6.3.2, Version 11.5.1 to Version 11.5.8

In BIG-IP 11.6.1-11.6.3.2 or 11.5.1-11.5.8, or Enterprise Manager 3.1.1, improper escaping of values in an undisclosed page of the configuration utility may result with an improper handling on the JSON response when it is injected by a malicious script via a remote cross-site scripting (XSS) attack. BIG-IP Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. F5 BIG-IP APM and Enterprise Manager are prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. The following products of F5 BIG-IP are vulnerable: F5 BIG-IP APM versions 11.6.1 through 11.6.3 and 11.5.1 through 11.5.8 are vulnerable. F5 BIG-IP Enterprise Manager version 3.1.1 is vulnerable. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. escape. A remote attacker could exploit this vulnerability to make the content of the affected page inaccessible or to damage the content

In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, 12.1.0-12.1.3.6, 11.6.1-11.6.3.2, or 11.5.1-11.5.8, when processing fragmented ClientHello messages in a DTLS session TMM may corrupt memory eventually leading to a crash. Only systems offering DTLS connections via APM are impacted. BIG-IP APM Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5 BIG-IP APM is prone to a denial-of-service vulnerability. Attackers can exploit this issue to crash the application, resulting in a denial-of-service condition

The Chuango 433 MHz burglar-alarm product line uses static codes in the RF remote control, allowing an attacker to arm, disarm, or trigger the alarm remotely via replay attacks, as demonstrated by Chuango branded products, and non-Chuango branded products such as the Eminent EM8617 OV2 Wifi Alarm System. plural Chuango The product contains an input validation vulnerability.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. Chuango Wifi Alarm System, etc. are a set of security alarm systems of China Chuango Company. There is a security vulnerability in the 433MHz RF interface in several Chuango products, which is caused by the use of static code in the program. An attacker could exploit this vulnerability to trigger an alarm or cause other harm. The following products are affected: Chuango Wifi Alarm System (all versions); Wifi/Cellular Smart Home System H4 Plus (all versions); Wifi Alarm System AWV Plus (all versions); G5W 3G (all versions); GSM/SMS/RFID Touch Alarm System G5 Plus (all versions); GSM/SMS Alarm System G3 (all versions); G5W (all versions); Dual-Network Alarm System B11 (all versions); PSTN Alarm System A8 (all versions); PSTN/LCD/ RFID Touch Alarm System A11 (all versions); CG-105S On-Site Alarm System (all versions)

Shanghai Nokia Bell Co., Ltd. is a company that provides end-to-end information and communication solutions and high-quality services for operator and non-operator customers There is a command execution vulnerability in the dd ***. Cgi file in the Bell Light Cat background. Attackers can use this vulnerability to execute arbitrary commands.

Yushi Network Camera IPC232S-IR3-HF40-C-DT is a network camera produced by Zhejiang Yushi Technology Co., Ltd. Yu network camera view IPC232S-IR3-HF40-C-DT denial of service vulnerabilities, an attacker can send a signaling protocol with a variation of the authentication message to the device, cause the device to be exploited downtime.

This vulnerability allows local attackers to escalate privileges on vulnerable installations of Advantech WebAccess Node. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the access control that is set and modified during the installation of the product. The product installation weakens existing access control restrictions of current system files, then sets weak access control restrictions on new files. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator.

Kodak video conference terminal console exists Cookie Stored in plaintext password vulnerability, intercepted by attackers Cookie After obtaining system use rights.

Kodak video conference terminal console has a user name leakage vulnerability, which can illegally obtain a valid login user name.

ZTE Video Conference MCU Device is reflective XSS Vulnerabilities. Attackers can use this vulnerability to obtain HttpOnly Protect the integrity of the web page Cookie information.

Kodak Video Cloud MCU A weak password exists on the device, allowing initial password login

Kodak Video Cloud MCU The device has a cross-site request forgery vulnerability. Venue management and end conference exist CSRF Vulnerability, which could be exploited by an attacker to execute CSRF attack.

Kodak Video Cloud MCU Device search function exists SQL Inject holes. Allows an attacker to compromise the application, access or modify data, or exploit potential vulnerabilities in the underlying database.

ZTE Video Conference MCU Device exists XML File Information Disclosure Vulnerability in Multiple Configuration Files ( config.xml or udt-application-context.xml ) You can find the database connection information stored in plain text.

ZTE Video Conference Terminal Weak Password Allows Initial Password Login

ZTE Video Conference MCU Device weak password, allowing initial password login

Kodak Video Cloud MCU Device unauthorized unauthorized access vulnerability. graphite The system can be accessed without login.

Kodak Video Cloud MCU Device is stored XSS Vulnerability, storage of personal settings XSS Loophole.