VARIoT IoT vulnerabilities database

An exploitable command injection vulnerability exists in the ACEManager iplogging.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can inject arbitrary commands, resulting in arbitrary command execution. An attacker can send an authenticated HTTP request to trigger this vulnerability. The Sierra Wireless AirLink ES450 is a cellular network modem device from Sierra Wireless, Canada. This vulnerability is caused by external input data constructing executable commands, and the network system or product does not properly filter the special elements. An attacker could exploit the vulnerability to execute an illegal command. A command-injection vulnerability 2. A security-bypass vulnerability 3. A remote code-execution vulnerability 4. An cross-site scripting vulnerability 5. A cross-site request-forgery vulnerability 6. Multiple information disclosure vulnerabilities An attacker may leverage these issues to execute arbitrary script code in the browser of the victim in the context of the affected site, steal cookie-based authentication credentials, gain access to sensitive information, perform certain administrative actions and gain unauthorized access to the affected application, execute arbitrary code, execute arbitrary commands with system-level privileges, This may aid in further attacks. element

An exploitable Permission Assignment vulnerability exists in the ACEManager EmbeddedAceSet_Task.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. The the binary the endpoint /cgi-bin/Embeded_Ace_TLSet_Task.cgi is a very similar endpoint that is designed for use with setting table values that can cause an arbitrary setting writes, resulting in the unverified changes to any system setting. An attacker can make an authenticated HTTP request, or run the binary as any user, to trigger this vulnerability. Sierra Wireless AirLink ES450 Firmware contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Sierra Wireless AirLink ES450 is a cellular network modem device from Sierra Wireless Canada. An attacker could exploit this vulnerability by sending specially crafted HTTP requests to change other users' passwords, enable or disable services, and change arbitrary configuration settings

An exploitable Permission Assignment vulnerability exists in the ACEManager EmbeddedAceSet_Task.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. The EmbeddedAceSet_Task.cgi executable is used to change MSCII configuration values within the configuration manager of the AirLink ES450. This binary does not have any restricted configuration settings, so once the MSCIID is discovered, any authenticated user can send configuration changes using the /cgi-bin/Embedded_Ace_Set_Task.cgi endpoint. Sierra Wireless AirLink ES450 Firmware contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The SierraWirelessAirLinkES450 is a cellular network modem device from Sierra Wireless, Canada. A security vulnerability exists in the ACEManagerEmbeddedAceSet_Task.cgi feature in the SierraWirelessAirLinkES450 using firmware version 4.9.3. An attacker could exploit the vulnerability to change other user passwords by sending a specially crafted HTTP request, enable or disable the service, and change any configuration settings

An exploitable information disclosure vulnerability exists in the ACEManager functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A HTTP request can result in disclosure of the default configuration for the device. An attacker can send an unauthenticated HTTP request to trigger this vulnerability. The SierraWirelessAirLinkES450 is a cellular network modem device from Sierra Wireless, Canada. Unauthorized attackers can exploit the vulnerability to obtain sensitive information about the affected component. This vulnerability stems from configuration errors in network systems or products during operation

An information disclosure vulnerability exists in the ACEManager authentication functionality of Sierra Wireless AirLink ES450 FW 4.9.3. The ACEManager authentication functionality is done in plaintext XML to the web server. An attacker can listen to network traffic upstream from the device to capitalize on this vulnerability. The SierraWirelessAirLinkES450 is a cellular network modem device from Sierra Wireless, Canada. A command-injection vulnerability 2. A security-bypass vulnerability 3. A remote code-execution vulnerability 4. An cross-site scripting vulnerability 5. A cross-site request-forgery vulnerability 6. Multiple information disclosure vulnerabilities An attacker may leverage these issues to execute arbitrary script code in the browser of the victim in the context of the affected site, steal cookie-based authentication credentials, gain access to sensitive information, perform certain administrative actions and gain unauthorized access to the affected application, execute arbitrary code, execute arbitrary commands with system-level privileges, This may aid in further attacks

An exploitable unverified password change vulnerability exists in the ACEManager upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause a unverified device configuration change, resulting in an unverified change of the user password on the device. An attacker can make an authenticated HTTP request to trigger this vulnerability. The SierraWirelessAirLinkES450 is a cellular network modem device from Sierra Wireless, Canada. An unauthorized password modification vulnerability exists in the ACEManagerupload.cgi feature in the SierraWirelessAirLinkES450 using version 4.9.3 of the firmware

A Buffer Overflow in Network::AuthenticationClient::VerifySignature in /bin/astro in Neato Botvac Connected 2.2.0 allows a remote attacker to execute arbitrary code with root privileges via a crafted POST request to a vendors/neato/robots/[robot_serial]/messages Neato cloud URI on the nucleo.neatocloud.com web site (port 4443). Neato Botvac Connected Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Neato Robotics Neato Botvac Connected is a cleaning robot from Neato Robotics in the United States. The 'Network::AuthenticationClient::VerifySignature' function of Neato Robotics Neato Botvac Connected 2.2.0 has a buffer overflow vulnerability. Data boundary, resulting in erroneous reads and writes to other associated memory locations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc

The ASUS Zenfone V Live Android device with a build fingerprint of asus/VZW_ASUS_A009/ASUS_A009:7.1.1/NMF26F/14.0610.1802.78-20180313:user/release-keys and the Asus ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys both contain a pre-installed platform app with a package name of com.asus.splendidcommandagent (versionCode=1510200090, versionName=1.2.0.18_160928) that contains an exported service named com.asus.splendidcommandagent.SplendidCommandAgentService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as system user can allow a third-party app to video record the user's screen, factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, obtain the user's text messages, and more. ASUS Zenfone V Live and Asus ZenFone 3 Max are both smartphones based on the Android platform of Taiwan's ASUS (ASUS). ASUS Zenfone V Live (build fingerprint is asus/VZW_ASUS_A009/ASUS_A009:7.1.1/NMF26F/14.0610.1802.78-20180313:user/release-keys) and Asus ZenFone 3 Max (build fingerprint is asus/US_Phone/ASUS_X008_1:7.0/NRD90M /US_Phone-14.14.1711.92-20171208: user/release-keys) has a security vulnerability in the com.asus.splendidcommandagent package (versionCode=1510200090, versionName=1.2.0.18_160928)

The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains the android framework (i.e., system_server) with a package name of android (versionCode=24, versionName=7.0) that has been modified by ASUS or another entity in the supply chain. The system_server process in the core android package has an exported broadcast receiver that allows any app co-located on the device to programmatically initiate the taking of a screenshot and have the resulting screenshot be written to external storage (i.e., sdcard). The taking of a screenshot is not transparent to the user; the device has a screen animation as the screenshot is taken and there is a notification indicating that a screenshot occurred. If the attacking app also requests the EXPAND_STATUS_BAR permission, it can wake the device up using certain techniques and expand the status bar to take a screenshot of the user's notifications even if the device has an active screen lock. The notifications may contain sensitive data such as text messages used in two-factor authentication. The system_server process that provides this capability cannot be disabled, as it is part of the Android framework. The notification can be removed by a local Denial of Service (DoS) attack to reboot the device. ASUS Asus ZenFone 3 Max is a smartphone based on the Android platform of the Taiwanese company Asus (ASUS). ASUS ZenFone 3 Max (build fingerprint is asus/US_Phone/ASUS_X008_1: 7.0/NRD90M/US_Phone-14.14.1711.92-20171208: user/release-keys) there is a security vulnerability. Attackers can use this vulnerability to take screenshots, obtain information or remove notifications

An issue was discovered on Tenda AC7 devices with firmware through V15.03.06.44_CN(AC7), AC9 devices with firmware through V15.03.05.19(6318)_CN(AC9), and AC10 devices with firmware through V15.03.06.23_CN(AC10). A buffer overflow vulnerability exists in the router's web server (httpd). When processing the list parameters for a post request, the value is directly written with sprintf to a local variable placed on the stack, which overrides the return address of the function, causing a buffer overflow. Tenda AC7 , AC9 , AC10 The firmware contains a buffer error vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Tenda AC7 and others are all wireless routers from China's Tenda. This vulnerability originates from a network system or product that incorrectly validates data boundaries when performing operations on memory, causing incorrect read and write operations to be associated with other memory locations

Dell EMC Open Manage System Administrator (OMSA) versions prior to 9.3.0 contain an Improper Range Header Processing Vulnerability. A remote unauthenticated attacker may send crafted requests with overlapping ranges to cause the application to compress each of the requested bytes, resulting in a crash due to excessive memory consumption and preventing users from accessing the system. Remote attackers may use a specially crafted request with directory-traversal sequences ('../') to retrieve arbitrary files from the affected system in the context of the application and cause denial-of-service condition. The solution supports online diagnosis, system operation detection, equipment management, etc

Dell EMC Open Manage System Administrator (OMSA) versions prior to 9.3.0 contain a Directory Traversal Vulnerability. A remote authenticated malicious user with admin privileges could potentially exploit this vulnerability to gain unauthorized access to the file system by exploiting insufficient sanitization of input parameters. Remote attackers may use a specially crafted request with directory-traversal sequences ('../') to retrieve arbitrary files from the affected system in the context of the application and cause denial-of-service condition. The solution supports online diagnosis, system operation detection, equipment management, etc. The vulnerability stems from a network system or product that fails to properly filter resources or special elements in file paths. An attacker could exploit this vulnerability to access locations outside of restricted directories

In Rockwell Automation MicroLogix 1400 Controllers Series A, All Versions Series B, v15.002 and earlier, MicroLogix 1100 Controllers v14.00 and earlier, CompactLogix 5370 L1 controllers v30.014 and earlier, CompactLogix 5370 L2 controllers v30.014 and earlier, CompactLogix 5370 L3 controllers (includes CompactLogix GuardLogix controllers) v30.014 and earlier, an open redirect vulnerability could allow a remote unauthenticated attacker to input a malicious link to redirect users to a malicious site that could run or download arbitrary malware on the user’s machine. plural Rockwell Automation The product contains an open redirect vulnerability.Information may be obtained and information may be altered. Rockwell Automation MicroLogix 1400 Controllers Series A are all programmable logic controllers from Rockwell Automation. An input validation error vulnerability exists in several Rockwell Automation products that originated from a network system or product that did not properly validate the input data. An attacker exploiting a vulnerability can build a well-designed URI and entice a user to follow it. When a victim tracks a link, they may be redirected to an attacker-controlled site to aid in phishing attacks. Other attacks are possible

Insecure permissions in the Web management portal on all IP cameras based on Hisilicon Hi3510 firmware allow authenticated attackers to receive a network's cleartext WiFi credentials via a specific HTTP request. This affects certain devices labeled as HI3510, HI3518, LOOSAFE, LEVCOECAM, Sywstoda, BESDER, WUSONGLUSAN, GADINAN, Unitoptek, ESCAM, etc. Hisilicon Hi3510 There is a permission vulnerability in the firmware.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Hisilicon Hi3510 is a firmware used by an IP camera of Hisilicon in China. There is a security vulnerability in the web management portal in the Hisilicon Hi3510 firmware. Attackers can use HTTP requests to exploit this vulnerability to obtain network WiFi passwords in clear text. The following manufacturers are affected: LOOSAFE; LEVCOECAM; Sywstoda; BESDER; WUSONGLUSAN; GADINAN;

An XML external entity (XXE) vulnerability in PrinterOn version 4.1.4 and lower allows remote authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. PrinterOn Is XML An external entity vulnerability exists.Information may be obtained

VVX products with software versions including and prior to, UCS 5.9.2 with Better Together over Ethernet Connector (BToE) application 3.9.1, use hard-coded credentials to establish connections between the host application and the device. Polycom UC Software is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to gain sensitive information from the affected application

Fujifilm FCR Capsula X/ Carbon X/ FCR XC-2, model versions CR-IR 357 FCR Carbon X, CR-IR 357 FCR XC-2, FCR-IR 357 FCR Capsula X provide insecure telnet services that lack authentication requirements. An attacker who successfully exploits this vulnerability may be able to access the underlying operating system. Fujifilm CR-IR357FCRCarbonX and others are all radioactive medical image reading devices of Fujifilm Corporation of Japan. Fujifilm FCR Capsula X/Carbon X are prone to a denial-of-service vulnerability and an access-bypass vulnerability. An attacker can exploit these issues to bypass certain security restrictions and perform unauthorized actions or cause a denial-of-service condition. This vulnerability stems from the lack of authentication measures or insufficient authentication strength in network systems or products

Fujifilm FCR Capsula X/ Carbon X/ FCR XC-2, model versions CR-IR 357 FCR Carbon X, CR-IR 357 FCR XC-2, FCR-IR 357 FCR Capsula X are susceptible to a denial-of-service condition as a result of an overflow of TCP packets, which requires the device to be manually rebooted. Fujifilm CR-IR357FCRCarbonX and others are all radioactive medical image reading devices of Fujifilm Corporation of Japan. A resource management error vulnerability exists in FujifilmCR-IR357FCRCarbonX, FCRXC-2, and FCRCapsulaX that could be exploited by an attacker to cause a denial of service. Fujifilm FCR Capsula X/Carbon X are prone to a denial-of-service vulnerability and an access-bypass vulnerability. An attacker can exploit these issues to bypass certain security restrictions and perform unauthorized actions or cause a denial-of-service condition. This vulnerability stems from improper management of system resources (such as memory, disk space, files, etc.) by network systems or products

A cleartext transmission of sensitive information vulnerability in Fortinet FortiManager 5.2.0 through 5.2.7, 5.4.0 and 5.4.1 may allow an unauthenticated attacker in a man in the middle position to retrieve the admin password via intercepting REST API JSON responses. Fortinet FortiManager Contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Fortinet FortiManager is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in further attacks. Fortinet FortiManager versions 5.2.0 through 5.2.7, 5.4.0 and 5.4.1 are vulnerable. Fortinet FortiManager is a centralized network security management platform developed by Fortinet. The platform supports centralized management of any number of Fortinet devices, and can group devices into different management domains (ADOMs) to further simplify multi-device security deployment and management

A buffer overflow vulnerability was discovered in the OpenPLC controller, in the OpenPLC_v2 and OpenPLC_v3 versions. It occurs in the modbus.cpp mapUnusedIO() function, which can cause a runtime crash of the PLC or possibly have unspecified other impact. OpenPLC_v2 and OpenPLC_v3 Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. OpenPLC is an open source programmable logic controller. The vulnerability stems from a network system or product that does not properly validate data boundaries when performing operations on memory, causing erroneous read and write operations to be performed on other associated memory locations