VARIoT IoT vulnerabilities database

Cross-site scripting (XSS) vulnerability in info.cgi in Synology Router Manager (SRM) before 1.1.7-6941 allows remote attackers to inject arbitrary web script or HTML via the host parameter. Synology Router Manager (SRM) is a Synology software for configuring and managing Synology routers

A Hard-coded Credentials vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could enable an attacker to gain access to the device. EVLink Parking Contains a vulnerability involving the use of hard-coded credentials.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. SchneiderElectricEVLinkParking is a commercial electric vehicle charging solution from Schneider Electric, France. Schneider Electric EVLink Parking is prone to multiple security vulnerabilities. An attacker can leverage these issues to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, inject code, execute arbitrary code, or gain access to the affected system. EVLink Parking Versions 3.2.0-12_v1 and prior are vulnerable

A SQL Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could give access to the web interface with full privileges. Schneider Electric EVLink Parking is prone to multiple security vulnerabilities. An attacker can leverage these issues to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, inject code, execute arbitrary code, or gain access to the affected system. EVLink Parking Versions 3.2.0-12_v1 and prior are vulnerable

An issue was discovered on Xiaomi Mi A1 tissot_sprout:8.1.0/OPM1.171019.026/V9.6.4.0.ODHMIFE devices. They store cleartext Wi-Fi passwords in logcat during the process of setting up the phone as a hotspot. Xiaomi Mi A1 The device contains a security feature vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. XiaomiMiA1 is a smart phone from China Xiaomi. An information disclosure vulnerability exists in XiaomiMiA1 (tissot_sprout) version 8.1.0, OPM1.171019.026 version, and 9.6.4.0.ODHMIFE version. The attacker can use this vulnerability to obtain a Wi-Fi password

A Code Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could enable access with maximum privileges when a remote code execution is performed. EVLink Parking Contains a code injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Schneider Electric EVLink Parking is prone to multiple security vulnerabilities. An attacker can leverage these issues to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, inject code, execute arbitrary code, or gain access to the affected system. EVLink Parking Versions 3.2.0-12_v1 and prior are vulnerable

Improper neutralization of escape vulnerability in Log Exporter in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary content to have an unspecified impact by exporting an archive in CSV format. Synology DiskStation Manager (DSM) Contains an injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Synology DiskStation Manager (DSM) is an operating system developed by Synology for network storage servers (NAS). The operating system can manage data, documents, photos, music and other information. There is a security vulnerability in the Log Exporter in versions earlier than Synology DSM 6.1.6-15266. A remote attacker could exploit this vulnerability to inject arbitrary content

Information exposure vulnerability in SYNO.Core.Desktop.SessionData in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to steal credentials via unspecified vectors. Synology DiskStation Manager (DSM) Contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Synology DiskStation Manager (DSM) is an operating system developed by Synology for network storage servers (NAS). The operating system can manage data, documents, photos, music and other information. An information disclosure vulnerability exists in SYNO.Core.Desktop.SessionData in Synology DSM versions earlier than 6.1.6-15266

Cross-site scripting (XSS) vulnerability in info.cgi in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary web script or HTML via the host parameter. Synology DiskStation Manager (DSM) Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Synology DiskStation Manager (DSM) is an operating system developed by Synology for network storage servers (NAS). The operating system can manage data, documents, photos, music and other information

Technicolor DPC3928SL D3928SL-PSIP-13-A010-c3420r55105-160428a devices allow XSS via a Cross Protocol Injection attack with setSSID of 1.3.6.1.4.1.4413.2.2.2.1.18.1.2.1.1.3.10001. Technicolor DPC3928SL The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. The Technicolor DPC3928SL is a cable modem from the French Technicolor group. A remote attacker can exploit this vulnerability to inject arbitrary web scripts or HTML with the help of setSSID

Tenda ADSL modem routers 1.0.1 allow XSS via the hostname of a DHCP client. TendaADSLmodemrouters is a wireless router from Tenda. A cross-site scripting vulnerability exists in the TendaADSLmodemrouters1.0.1 release. A remote attacker could exploit the vulnerability of a DHCP client to inject malicious code into the current list of DHCP clients

TP-Link TD-W8961ND devices allow XSS via the hostname of a DHCP client. TP-Link TD-W8961ND The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. The TP-LinkTD-W8961ND is a wireless router from China Unicom (TP-LINK). A cross-site scripting vulnerability exists in the TP-LinkTD-W8961ND. A remote attacker can use the vulnerability of a DHCP client to inject malicious code into the current list of DHCP clients

ARRIS SBG6580-2 D30GW-SEAEAGLE-1.5.2.5-GA-00-NOSH devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. ARRIS SBG6580-2 The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ARRIS SBG6580-2 is a cable modem produced by Arris Group Corporation in the United States. A security vulnerability exists in ARRIS SBG6580-2 D30GW-SEAEAGLE-1.5.2.5-GA-00-NOSH version

Jiuzhou BCM93383WRG 139.4410mp1.3921132mp1.899.004404.004 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. Jiuzhou BCM93383WRG The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Jiuzhou BCM93383WRG is a modem. There is a security vulnerability in Jiuzhou BCM93383WRG 139.4410mp1.3921132mp1.899.004404.004 version

plural CastleNet Product devices contain vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. CastleNet CBV38Z4EC etc. are the cable modem products of CostleNet Technology Company. Security vulnerabilities exist in several CastleNet products. A remote attacker could exploit this vulnerability to obtain credentials by sending SNMP requests. The following products and versions are affected: CastleNet CBV38Z4EC version 125.553mp1.39219mp1.899.007; CBV38Z4ECNIT version 125.553mp1.39219mp1.899.005ITT; CBW383G4J version 37.556mp5.008; CBW38G4J version 17.0083

Ambit DDW2600 5.100.1009, DDW2602 5.105.1003, T60C926 4.64.1012, and U10C019 5.66.1026 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. plural Ambit The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Ambit DDW2600 etc. are all modem products. There are security vulnerabilities in several Ambit products. The following products and versions are affected: Ambit DDW2600 version 5.100.1009; DDW2602 version 5.105.1003; T60C926 version 4.64.1012; U10C019 version 5.66.1026

iNovo Broadband IB-8120-W21 139.4410mp1.004200.002 and IB-8120-W21E1 139.4410mp1.3921132mp1.899.004404.004 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. iNovo Broadband IB-8120-W21 and IB-8120-W21E1 The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both iNovo Broadband IB-8120-W21 and IB-8120-W21E1 are modem products. There are security vulnerabilities in iNovo Broadband IB-8120-W21 version 139.4410mp1.004200.002 and IB-8120-W21E1 version 139.4410mp1.3921132mp1.899.004404.004

Comtrend CM-6200un 123.447.007 and CM-6300n 123.553mp1.005 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. Comtrend CM-6200un and CM-6300n The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both Comtrend CM-6200un and CM-6300n are cable modem products of Comtrend Company. There are security vulnerabilities in Comtrend CM-6200un 123.447.007 version and CM-6300n 123.553mp1.005 version

Bnmux BCW700J 5.20.7, BCW710J 5.30.6a, and BCW710J2 5.30.16 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. Bnmux BCW700J , BCW710J , BCW710J2 The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Bnmux BCW700J, BCW710J and BCW710J2 are all modem products of Japan Broad Net Mux (Bnmux) company. There are security vulnerabilities in Bnmux BCW700J version 5.20.7, BCW710J version 5.30.6a and BCW710J2 version 5.30.16

Technicolor DPC2320 dpc2300r2-v202r1244101-150420a-v6 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. Technicolor DPC2320 The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Technicolor DPC2320 is a modem from Technicolor Group. Technicolor DPC2320 dpc2300r2-v202r1244101-150420a-v6 has a security vulnerability

ARRIS DG950A 7.10.145 and DG950S 7.10.145.EURO devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. ARRIS DG950A and DG950S The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both ARRIS DG950A and DG950S are cable modems from Arris Group Corporation in the United States. A security vulnerability exists in ARRIS DG950A version 7.10.145 and DG950S version 7.10.145.EURO