VARIoT IoT vulnerabilities database

In BIG-IP 11.6.1-11.6.3.2 or 11.5.1-11.5.8, or Enterprise Manager 3.1.1, improper escaping of values in an undisclosed page of the configuration utility may result with an improper handling on the JSON response when it is injected by a malicious script via a remote cross-site scripting (XSS) attack. BIG-IP Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. F5 BIG-IP APM and Enterprise Manager are prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. The following products of F5 BIG-IP are vulnerable: F5 BIG-IP APM versions 11.6.1 through 11.6.3 and 11.5.1 through 11.5.8 are vulnerable. F5 BIG-IP Enterprise Manager version 3.1.1 is vulnerable. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. escape. A remote attacker could exploit this vulnerability to make the content of the affected page inaccessible or to damage the content

In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, 12.1.0-12.1.3.6, 11.6.1-11.6.3.2, or 11.5.1-11.5.8, when processing fragmented ClientHello messages in a DTLS session TMM may corrupt memory eventually leading to a crash. Only systems offering DTLS connections via APM are impacted. BIG-IP APM Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5 BIG-IP APM is prone to a denial-of-service vulnerability. Attackers can exploit this issue to crash the application, resulting in a denial-of-service condition

The Chuango 433 MHz burglar-alarm product line uses static codes in the RF remote control, allowing an attacker to arm, disarm, or trigger the alarm remotely via replay attacks, as demonstrated by Chuango branded products, and non-Chuango branded products such as the Eminent EM8617 OV2 Wifi Alarm System. plural Chuango The product contains an input validation vulnerability.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. Chuango Wifi Alarm System, etc. are a set of security alarm systems of China Chuango Company. There is a security vulnerability in the 433MHz RF interface in several Chuango products, which is caused by the use of static code in the program. An attacker could exploit this vulnerability to trigger an alarm or cause other harm. The following products are affected: Chuango Wifi Alarm System (all versions); Wifi/Cellular Smart Home System H4 Plus (all versions); Wifi Alarm System AWV Plus (all versions); G5W 3G (all versions); GSM/SMS/RFID Touch Alarm System G5 Plus (all versions); GSM/SMS Alarm System G3 (all versions); G5W (all versions); Dual-Network Alarm System B11 (all versions); PSTN Alarm System A8 (all versions); PSTN/LCD/ RFID Touch Alarm System A11 (all versions); CG-105S On-Site Alarm System (all versions)

Shanghai Nokia Bell Co., Ltd. is a company that provides end-to-end information and communication solutions and high-quality services for operator and non-operator customers There is a command execution vulnerability in the dd ***. Cgi file in the Bell Light Cat background. Attackers can use this vulnerability to execute arbitrary commands.

Yushi Network Camera IPC232S-IR3-HF40-C-DT is a network camera produced by Zhejiang Yushi Technology Co., Ltd. Yu network camera view IPC232S-IR3-HF40-C-DT denial of service vulnerabilities, an attacker can send a signaling protocol with a variation of the authentication message to the device, cause the device to be exploited downtime.

This vulnerability allows local attackers to escalate privileges on vulnerable installations of Advantech WebAccess Node. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.The specific flaw exists within the access control that is set and modified during the installation of the product. The product installation weakens existing access control restrictions of current system files, then sets weak access control restrictions on new files. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator.

Kodak video conference terminal console exists Cookie Stored in plaintext password vulnerability, intercepted by attackers Cookie After obtaining system use rights.

Kodak video conference terminal console has a user name leakage vulnerability, which can illegally obtain a valid login user name.

ZTE Video Conference MCU Device is reflective XSS Vulnerabilities. Attackers can use this vulnerability to obtain HttpOnly Protect the integrity of the web page Cookie information.

Kodak Video Cloud MCU A weak password exists on the device, allowing initial password login

Kodak Video Cloud MCU The device has a cross-site request forgery vulnerability. Venue management and end conference exist CSRF Vulnerability, which could be exploited by an attacker to execute CSRF attack.

Kodak Video Cloud MCU Device search function exists SQL Inject holes. Allows an attacker to compromise the application, access or modify data, or exploit potential vulnerabilities in the underlying database.

ZTE Video Conference MCU Device exists XML File Information Disclosure Vulnerability in Multiple Configuration Files ( config.xml or udt-application-context.xml ) You can find the database connection information stored in plain text.

ZTE Video Conference Terminal Weak Password Allows Initial Password Login

ZTE Video Conference MCU Device weak password, allowing initial password login

Kodak Video Cloud MCU Device unauthorized unauthorized access vulnerability. graphite The system can be accessed without login.

Kodak Video Cloud MCU Device is stored XSS Vulnerability, storage of personal settings XSS Loophole.

Kodak Video Cloud MCU The device has an unauthorized access vulnerability. There is a problem of unauthorized data export. A large amount of sensitive data can be downloaded without logging in, including point-to-point records, multipoint records, phone records, and conference statistics.

Kodak video conference terminal console X300 An unauthorized access vulnerability exists. Attackers can access sensitive data and obtain video screenshots of the terminal without logging in.

ZTE video conference terminal equipment An authentication bypass vulnerability exists. User logs out Cookie Without clearing, other users can bypass the login interface and enter the device control interface directly after the previous user logs out.