VARIoT IoT vulnerabilities database

Linksys Velop 1.1.2.187020 devices allow unauthenticated command injection, providing an attacker with full root access, via cgi-bin/zbtest.cgi or cgi-bin/zbtest2.cgi (scripts that can be discovered with binwalk on the firmware, but are not visible in the web interface). This occurs because shell metacharacters in the query string are mishandled by ShellExecute, as demonstrated by the zbtest.cgi?cmd=level&level= substring. This can also be exploited via CSRF. Linksys Velop The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. BelkinIntermationalLinksysVelop is a family WiFi wireless network solution from Belkin Intermational. A command injection vulnerability exists in BelkinIntermationalLinksysVelop version 1.1.2.187020

NUUO's NVRMini2 3.8.0 and below contains a backdoor that would allow an unauthenticated remote attacker to take over user accounts if the file /tmp/moses exists. NUUO NVRMini2 Contains vulnerabilities related to security features.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NUUO is one of the monitoring solution providers, and NUUO NVRMini 2 is a NAS-enabled NVR solution. There is a backdoor vulnerability in NUUO NVRMini2. When the target device file system has a specific file /tmp/moses/, the backdoor will be opened, and any unauthorized user can obtain the user list of the non-admin user and change the password by using the API to implement the takeover of the NVR device. An attacker can exploit these issues to execute arbitrary code in the context of the affected application. Failed exploit attempts may result in a denial-of-service condition. NVRmini2 and NVRsolo 3.8.0 and prior are vulnerable. NUUO NVRmini 2 is a video storage management device produced by American NUUO company. There is a security vulnerability in NUUO NVRMini 2 3.8.0 and earlier versions, which is caused by the backdoor in the program

The Symantec Messaging Gateway product prior to 10.6.6 may be susceptible to an authentication bypass exploit, which is a type of issue that can allow attackers to potentially circumvent security mechanisms currently in place and gain access to the system or network. Symantec Messaging Gateway Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Symantec Messaging Gateway is prone to an authentication-bypass vulnerability. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. This may lead to further attacks. Versions prior to Messaging Gateway 10.6.6 are vulnerable. Symantec Messaging Gateway is a set of anti-spam, anti-virus, advanced content filtering and data leakage prevention technologies developed by Symantec

Adobe Acrobat and Reader versions 2018.011.20058 and earlier, 2017.011.30099 and earlier, and 2015.006.30448 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure. The former is a set of PDF file editing and conversion tools, the latter is a set of PDF document reading software. A remote attacker can exploit this vulnerability to obtain sensitive information

The DL4322D is a router product from NetisSystems. A cross-site scripting vulnerability exists in the NetisADSLRouterDL4322D that allows an attacker to add a cross-site scripting attack on the Dynamic DNS Hostname field.

Node-RED is a tool for building Internet of Things (IOT) applications. Its focus is to simplify the "connection" of code blocks to perform tasks. Node-RED has an unauthorized remote command execution vulnerability. Because the Node-RED application does not enforce any type of authentication, it can be accessed without authorization, and an attacker can execute arbitrary commands on the target system by combining specific Flows. In addition, unauthorized use of other Nodes can also implement SSRF, local file inclusion, and information leakage attacks.

cgi_system in NUUO's NVRMini2 3.8.0 and below allows remote attackers to execute arbitrary code via crafted HTTP requests. NUUO NVRMini2 Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NUUO is one of the monitoring solution providers, and NUUO NVRMini 2 is a NAS-enabled NVR solution. NUUO NVRMini2 has a remote code execution vulnerability. Due to program logic defects, the length of the HTTP header cookie field was not checked when processing the GET request of /cgi-bin/cgi_system and the sprintf function was used for splicing, resulting in a stack overflow. By constructing specially crafted data, an attacker can exploit this vulnerability to execute arbitrary commands on the target device. Failed exploit attempts may result in a denial-of-service condition. NVRmini2 and NVRsolo 3.8.0 and prior are vulnerable. NUUO NVRmini 2 is a video storage management device produced by American NUUO company. There is a security vulnerability in cgi_system in NUUO NVRMini 2 3.8.0 and earlier versions

An issue was discovered on Neato Botvac Connected 2.2.0 and Botvac 85 1.2.1 devices. Static encryption is used for the copying of so-called "black box" logs (event logs and core dumps) to a USB stick. These logs are RC4-encrypted with a 9-character password of *^JEd4W!I that is obfuscated by hiding it within a custom /bin/rc4_crypt binary. Neato Robotics Botvac Connected and Neato Robotics Botvac 85 are both cleaning robots from Neato Robotics in the United States. A security vulnerability exists in Neato Robotics Botvac Connected version 2.2.0 and Neato Robotics Botvac 85 version 1.2.1. An attacker could exploit this vulnerability to obtain sensitive information

A replay issue was discovered on Neato Botvac Connected 2.2.0 devices. Manual control mode requires authentication, but once recorded, the authentication (always transmitted in cleartext) can be replayed to /bin/webserver on port 8081. There are no nonces, and timestamps are not checked at all. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements

An issue was discovered on Neato Botvac Connected 2.2.0 devices. They execute unauthenticated manual drive commands (sent to /bin/webserver on port 8081) if they already have an active session. Commands like forward, back, arc-left, arc-right, pivot-left, and pivot-right are executed even though the web socket replies with { "message" : "invalid authorization header" }. Without an active session, commands are still interpreted, but (except for eco-on and eco-off) have no effect, since without active driving, a driving direction does not change anything

The QBee MultiSensor Camera through 4.16.4 accepts unencrypted network traffic from clients (such as the QBee Cam application through 1.0.5 for Android and the Swisscom Home application up to 10.7.2 for Android), which results in an attacker being able to reuse cookies to bypass authentication and disable the camera. QBee MultiSensor Camera Contains an authentication vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Askey QBee MultiSensor Camera is a smart camera product of Askey Computer Company. A security vulnerability exists in Askey QBee MultiSensor Camera 4.16.4 and earlier versions. An attacker could exploit this vulnerability to reuse cookies, thereby bypassing authentication and disabling the camera. [VulnerabilityType Other] Auth bypass using cookie [Vendor of Product] QBee, Vestiacom, Swisscom [Affected Product Code Base] QBee MultiSensor Camera <= 4.16.4 QBee Cam (Android) <= 1.0.5 (Fixed version number not yet available) QBee Cam (iOS) < 1.5.2 Swisscom Home App (Android) < 10.7.2 Swisscom Home App (iOS) < 10.9.0 [Affected Component] Network Traffic [Attack Type] Remote [Impact Denial of Service] true [Impact Information Disclosure] true [Attack Vectors] Reuse of intercepted cookies to authorize requests to camera and disable it [Has vendor confirmed or acknowledged the vulnerability?] true [Discoverer] Francesco Servida (University of Lausanne) [Reference] https://francescoservida.ch/ https://blog.francescoservida.ch/2018/09/16/cve-2018-16225-public-disclosure-qbee-camera-vulnerability https://unil.ch/esc/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE1d1OaNNWm59k5XpArHdrFWRKXbEFAlueyQcACgkQrHdrFWRK XbHlXA/+MwKRO1X7s85ViBEo0gaMNI2GIxioAwi7Hoqkn+jEEefBAkGLFy02F+MS 6i8f1C+AU88BJroihmuBhFklg6/d5qilQrym40MN2/qmr8g2ba7mayZxzRoa4jOn JAggmnLbv0ODV0aIJpWWWDOgLNyZgn2ZfBt7glnSifJ4TTNJUN0xNGUcsYCAfbjo zDjJknPFimxaM0ECJpNWMTMH2z8FJD8Cfb6uQjC9ZR6yy3Gd/xyyesyjcIf7L/56 bkVQUmzI3xLKIAISQ2WbqaMLemds69rWV3ePwrdyziUbkxflW0pKK9ObzcpoFkRD fOZvqPgvkbBpFyE2xbImqqHtgwYiI27oXPJyc183mrR3XTbfFfOuXwDJSrNYPTyp ZQwWyFAr25VqJriq4mfvr643U2ejexblwTi5Rnekf0spF2sFkjZGk1HLu095Yzx3 wThFmj8U8U/MyiUdRC8eW6Q/G0xw4lhqtQA8lxo5k7AOF9AkVImtYqk506Lx1JU8 LbJqy/3EoJleva5BWdBgTjH99zmbOHuvyGZRR8oNKDTBEUY3X2RnVeA3QUrhkEl5 Dgn1mJ/2Ztwyun6X3VcFoRQTAaHqfBb17EYzlE+92cU6SYxaFALO7PUBN/UUDIks Gd6uuT5pJB2P/RrPEqAp2vjqgwNXQuarp44oPXAsriWRwEzeUbg= =pHaV -----END PGP SIGNATURE-----

MAC1100 PLC is a programmable logic controller produced by Dalian University of Technology Computer Control Engineering Co., Ltd. There is a remote register tampering vulnerability in the DCCE MAC1100 PLC. An attacker can construct a specific network data packet without authorization and use the vulnerability to forcibly read or tamper with the PLC register value, which affects the normal operation of the controller

C10S0R (-e) PLC is a product in the programmable logic controller (PLC) series of Xiamen Haiwei Technology Co., Ltd. Haiwell C10S0R (-e) PLC has a remote code upload vulnerability. An attacker can construct a specific network packet without authorization and use the vulnerability to upload arbitrary code

Calamp is a pioneer in M2M telematics, managing more than 1.5M IoT devices. CalAmp lenderoutlook on colt.calamp-ts.com has an incorrect permission assignment vulnerability. An attacker could use the vulnerability to obtain sensitive data.

MAC1100 PLC is a programmable logic controller produced by Dalian University of Technology Computer Control Engineering Co., Ltd. There is an arbitrary program coverage vulnerability in the DCCE MAC1100 PLC. The vulnerability originates from the MAC1100 PLC programmable logic controller downloading the program to the PLC without verifying the relevant permissions. An attacker can remotely download the program's data package to cover any program with the vulnerability

PLC_Config is the standard software for the configuration and programming of programmable controllers produced by Dalian University of Technology Computer Control Engineering Co., Ltd. There is a denial of service vulnerability in DCCE PLC_Config. An attacker can construct a specific network packet without authorization, and use the vulnerability to cause PLC_config to deny service

MAC1100 PLC is a programmable logic controller produced by Dalian University of Technology Computer Control Engineering Co., Ltd. DCCE MAC1100 PLC has a denial-of-service vulnerability. An attacker can construct a specific network packet without authorization, and use the vulnerability to cause the PLC to deny service

MAC1100 PLC is a programmable logic controller produced by Dalian University of Technology Computer Control Engineering Co., Ltd. DCCE MAC1100 PLC has a password leakage vulnerability. An attacker can use the vulnerability to obtain the PLC user name and password when the computer is connected to the PLC

GE Intelligent Platform (GE-IP) 's iFIX is the world's leading industrial automation software solution that provides process visualization, data acquisition, and data monitoring of production operations. There is a DLL hijacking vulnerability in the GE iFix scu.exe component. An attacker can use the vulnerability to execute malicious code by loading a malicious dll named "DWMAPI.dll"

MAC1100 PLC is a programmable logic controller produced by Dalian University of Technology Computer Control Engineering Co., Ltd. DCCE MAC1100 PLC has a denial-of-service vulnerability. An attacker can construct a specific network packet without authorization. Using the vulnerability, the PLC is shut down and the CPU denies service