VARIoT IoT vulnerabilities database

Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. Philips e-Alert Unit Contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Philips e-Alert is prone to the following security vulnerabilities: 1. An input-validation vulnerability 2. A cross-site scripting vulnerability 3. Multiple information-disclosure vulnerabilities 4. An insecure default permissions vulnerability 5. A cross-site request-forgery vulnerability 6. A session-fixation vulnerability 7. A denial-of-service vulnerability 8. A security-bypass vulnerability Attackers may exploit these issues to gain unauthorized access to the affected device, or to bypass certain security restrictions to perform unauthorized actions, to compromise the application to access or modify data and to exploit vulnerabilities in the underlying database, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site or to execute arbitrary code within the context of the affected device. e-Alert R2.1 and prior are vulnerable. Philips e-Alert is an electronic alert solution for MRI systems from Philips, the Netherlands. It is mainly used to monitor the performance of MRI systems and issue alerts. There is a cross-site request forgery vulnerability in Philips e-Alert R2.1 and earlier versions. A remote attacker could exploit this vulnerability to perform unauthorized operations

Philips e-Alert Unit (non-medical device), Version R2.1 and prior. When authenticating a user or otherwise establishing a new user session, the software gives an attacker the opportunity to steal authenticated sessions without invalidating any existing session identifier. Philips e-Alert Unit Contains a session fixation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Philips e-Alert is prone to the following security vulnerabilities: 1. An input-validation vulnerability 2. A cross-site scripting vulnerability 3. Multiple information-disclosure vulnerabilities 4. An insecure default permissions vulnerability 5. A cross-site request-forgery vulnerability 6. A session-fixation vulnerability 7. A denial-of-service vulnerability 8. A security-bypass vulnerability Attackers may exploit these issues to gain unauthorized access to the affected device, or to bypass certain security restrictions to perform unauthorized actions, to compromise the application to access or modify data and to exploit vulnerabilities in the underlying database, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site or to execute arbitrary code within the context of the affected device. e-Alert R2.1 and prior are vulnerable. Philips e-Alert is an electronic alert solution for MRI systems from Philips, the Netherlands. It is mainly used to monitor the performance of MRI systems and issue alerts. A session fixation vulnerability exists in Philips e-Alert R2.1 and earlier versions

Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The software, upon installation, sets incorrect permissions for an object that exposes it to an unintended actor. Philips e-Alert is prone to the following security vulnerabilities: 1. An input-validation vulnerability 2. A cross-site scripting vulnerability 3. Multiple information-disclosure vulnerabilities 4. An insecure default permissions vulnerability 5. A cross-site request-forgery vulnerability 6. A session-fixation vulnerability 7. A denial-of-service vulnerability 8. A security-bypass vulnerability Attackers may exploit these issues to gain unauthorized access to the affected device, or to bypass certain security restrictions to perform unauthorized actions, to compromise the application to access or modify data and to exploit vulnerabilities in the underlying database, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site or to execute arbitrary code within the context of the affected device. e-Alert R2.1 and prior are vulnerable. Philips e-Alert is an electronic alert solution for MRI systems from Philips, the Netherlands. It is mainly used to monitor the performance of MRI systems and issue alerts. An attacker could exploit this vulnerability to gain elevated privileges

An Out-of-Bounds Read Privilege Escalation vulnerability in Trend Micro Security 2018 (Consumer) products could allow a local attacker to escalate privileges on vulnerable installations. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit the vulnerability. Trend Micro Security 2018 (Consumer) The product contains vulnerabilities related to out-of-bounds reading and vulnerabilities related to authorization, authority, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer

A Missing Impersonation Privilege Escalation vulnerability in Trend Micro Security 2018 (Consumer) products could allow a local attacker to escalate privileges on vulnerable installations. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit the vulnerability. Trend Micro Security 2018 (Consumer) The product contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The service does not properly impersonate the client before executing sensitive operations. An attacker can leverage this vulnerability to escalate privileges to SYSTEM

A Deserialization of Untrusted Data Privilege Escalation vulnerability in Trend Micro Security 2018 (Consumer) products could allow a local attacker to escalate privileges on vulnerable installations. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit the vulnerability. When parsing the request buffer, the process does not properly validate user-supplied data, which can result in deserialization of untrusted data

Cybrotech CyBroHttpServer Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. CybrotechCyBroHttpServer is a communication server from Cybrotech, UK, for reading/writing CyBro variables by name. A remote attacker can exploit this vulnerability to inject arbitrary web scripts or HTML with malicious links or web pages

An issue was discovered on Orbic Wonder Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys devices, allowing attackers to obtain sensitive information (such as text-message content) by reading a copy of the Android log on the SD card. The system-wide Android logs are not directly available to third-party apps since they tend to contain sensitive data. Third-party apps can read from the log but only the log messages that the app itself has written. Certain apps can leak data to the Android log due to not sanitizing log messages, which is in an insecure programming practice. Pre-installed system apps and apps that are signed with the framework key can read from the system-wide Android log. We found a pre-installed app on the Orbic Wonder that when started via an Intent will write the Android log to the SD card, also known as external storage, via com.ckt.mmitest.MmiMainActivity. Any app that requests the READ_EXTERNAL_STORAGE permission can read from the SD card. Therefore, a local app on the device can quickly start a specific component in the pre-installed system app to have the Android log written to the SD card. Therefore, any app co-located on the device with the READ_EXTERNAL_STORAGE permission can obtain the data contained within the Android log and continually monitor it and mine the log for relevant data. In addition, the default messaging app (com.android.mms) writes the body of sent and received text messages to the Android log, as well as the recipient phone number for sent text messages and the sending phone number for received text messages. In addition, any call data contains phone numbers for sent and received calls. Orbic Wonder RC555L The device contains a vulnerability related to information disclosure from log files.Information may be obtained. OrbicWonder is a smartphone product from Orbic Corporation of the United States

Various VIVOTEK FD8*, FD9*, FE9*, IB8*, IB9*, IP9*, IZ9*, MS9*, SD9*, and other devices before XXXXXX-VVTK-xx06a allow remote attackers to execute arbitrary code. plural Various VIVOTEK The product contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. VIVOTEK (Jingrui Communication Co., Ltd.) is a manufacturer of network cameras and audio and video servers. A command injection vulnerability exists in the VIVOTEK network camera with firmware version lower than XXXXXX-VVTK-0X06a. Vivotek FD8*, etc. are Vivotek's network camera products of different models. The following products are affected: VIVOTEK FD8*; FD9*; FE9*; IB8*; IB9*; IP9*; IZ9*; MS9*; SD9*, etc

An issue was discovered on Orbic Wonder Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys devices. Any app co-located on the device can send an intent to factory reset the device programmatically because of com.android.server.MasterClearReceiver. This does not require any user interaction and does not require any permission to perform. A factory reset will remove all user data from the device. This will result in the loss of any data that the user has not backed up or synced externally. This capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves), although this capability is present in an unprotected component of the Android OS. This vulnerability is not present in Google's Android Open Source Project (AOSP) code. Therefore, it was introduced by Orbic or another entity in the supply chain. Orbic Wonder RC555L Devices have vulnerabilities related to authorization, permissions, and access control.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. Orbic Wonder is a smart phone product of Orbic Company in the United States. Orbic/RC555L/RC555L by Orbic Wonder: 7.1.2/N2G47H/329100b: A security vulnerability exists in user/release-keys

Technicolor (formerly RCA) TC8305C devices allow remote attackers to cause a denial of service (networking outage) via a flood of random MAC addresses, as demonstrated by macof. NOTE: this might overlap CVE-2018-15852 and CVE-2018-16310. NOTE: Technicolor denies that the described behavior is a vulnerability and states that Wi-Fi traffic is slowed or stopped only while the devices are exposed to a MAC flooding attack. This has been confirmed through testing against official up-to-date versions. ** Unsettled ** This case has not been confirmed as a vulnerability. Technicolor ( alias RCA) TC8305C The device contains vulnerabilities related to security functions. The vendor has disputed this vulnerability. For details, see NVD of Current Description Please Confirm. https://nvd.nist.gov/vuln/detail/CVE-2018-15907Service operation interruption (DoS) There is a possibility of being put into a state. TechnicolorTC8305C is a modem from the French Technicolor group. A buffer overflow vulnerability exists in TechnicolorTC8305C. An attacker could exploit the vulnerability to break a network connection

The Alcatel A30 device with a build fingerprint of TCL/5046G/MICKEY6US:7.0/NRD90M/J63:user/release-keys contains a hidden privilege escalation capability to achieve command execution as the root user. They have made modifications that allow a user with physical access to the device to obtain a root shell via ADB. Modifying the read-only properties by an app as the system user creates a UNIX domain socket named factory_test that will execute commands as the root user by processes that have privilege to access it (as per the SELinux rules that the vendor controls). Alcatel A30 Devices have vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Alcatel A30 is a smartphone product. A security vulnerability exists in Alcatel A30 (with TCL/5046G/MICKEY6US:7.0/NRD90M/J63:user/release-keys). An attacker can exploit this vulnerability to execute commands as the root user

Yamaha routers RT57i Rev.8.00.95 and earlier, RT58i Rev.9.01.51 and earlier, NVR500 Rev.11.00.36 and earlier, RTX810 Rev.11.01.31 and earlier, allow an administrative user to embed arbitrary scripts to the configuration data through a certain form field of the configuration page, which may be executed on another administrative user's web browser. This is a different vulnerability from CVE-2018-0666. The management screen of multiple network devices provided by Yamaha Corporation contains multiple script injection vulnerabilities (CWE-74). The following researchers reported the vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2018-0665 Hayato Doi of Kanazawa Institute of Technology CVE-2018-0666 Tomonori Yamamoto of Mitsui Bussan Secure Directions, Inc.In the case where multiple administrators manage an affected device, an administrator with malicious intent may embed an arbitrary script into the management screen. The embedded script may be executed when another administrator logs into the screen. YamahaBroadband VoIPRouterRT57i and so on are all Yamaha Corporation router products. NVR500 Broadband VoIP Router is a router. A security vulnerability exists in the management interface in several Yamaha products. The following products and versions are affected: Yamaha Corporation FWX120 Firewall Rev.11.03.25 and earlier; NVR500 Broadband VoIP Router Rev.11.00.36 and earlier; RT57i Broadband VoIP Router Rev.8.00.95 and earlier; RT58i Broadband VoIP Router Rev.9.01.51 and earlier versions; RTX810 Gigabit VPN Router Rev.11.01.33 and earlier versions

Yamaha routers RT57i Rev.8.00.95 and earlier, RT58i Rev.9.01.51 and earlier, NVR500 Rev.11.00.36 and earlier, RTX810 Rev.11.01.31 and earlier, allow an administrative user to embed arbitrary scripts to the configuration data through a certain form field of the configuration page, which may be executed on another administrative user's web browser. This is a different vulnerability from CVE-2018-0665. The management screen of multiple network devices provided by Yamaha Corporation contains multiple script injection vulnerabilities (CWE-74). The following researchers reported the vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2018-0665 Hayato Doi of Kanazawa Institute of Technology CVE-2018-0666 Tomonori Yamamoto of Mitsui Bussan Secure Directions, Inc.In the case where multiple administrators manage an affected device, an administrator with malicious intent may embed an arbitrary script into the management screen. The embedded script may be executed when another administrator logs into the screen. Yamaha Broadband VoIP Router RT57i and so on are all Yamaha Corporation router products. A security vulnerability exists in the management interface in several Yamaha products

Cybrotech CyBroHttpServer 1.0.3 allows Directory Traversal via a ../ in the URI. Cybrotech CyBroHttpServer Contains a path traversal vulnerability.Information may be obtained. CybrotechCyBroHttpServer is a communication server from Cybrotech, UK, for reading/writing CyBro variables by name. An attacker could use the vulnerability in \342\200\230../\342\200\231 to read sensitive information

Infoblox NetMRI 7.1.1 has Reflected Cross-Site Scripting via the /api/docs/index.php query parameter. InfobloxNetMRI is a network automation product from Infoblox, USA that provides automated network discovery, switch port management, network change automation, and continuous configuration compliance management for routers, switches, and other network devices. A remote attacker can exploit this vulnerability to inject arbitrary web scripts or HTML by sending a \342\200\230query\342\200\231 parameter to the /api/docs/index.php file

An issue was discovered on D-Link DIR-601 2.02NA devices. Being local to the network and having only "User" account (which is a low privilege account) access, an attacker can intercept the response from a POST request to obtain "Admin" rights due to the admin password being displayed in XML. D-Link DIR-601 Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDIR-601 is a wireless router product from D-Link. A security vulnerability exists in the D-LinkDIR-6012.02NA release, which stems from the inclusion of an administrator password in the XML. A local attacker could exploit the vulnerability to gain administrative privileges by hijacking the response to a POST request. ------------------------------------------ [Vulnerability Type] Insecure Permissions ------------------------------------------ [VulnerabilityType Other] Privilege Escalation ------------------------------------------ [Vendor of Product] D-Link ------------------------------------------ [Affected Product Code Base] DIR-601 - 2.02NA ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Kevin Randall

A Permissions, Privileges, and Access Control vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). The vulnerability allows unauthorized users to overwrite the original password with their password. If an attacker exploits this vulnerability and overwrite the password, the attacker can upload the original program from the PLC. The Modicon M221 is a logic controller from Schneider Electric. Attackers can exploit these issues to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks

A Permissions, Privileges, and Access Control vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). The vulnerability allows unauthorized users to decode the password using rainbow table. The Modicon M221 is a logic controller from Schneider Electric. Attackers can exploit these issues to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks

An exploitable vulnerability exists in the REST parser of video-core's HTTP server of the Samsung SmartThings Hub STH-ETH-250-Firmware version 0.20.17. The video-core process incorrectly handles pipelined HTTP requests, which allows successive requests to overwrite the previously parsed HTTP method, URL and body. With the implementation of the on_body callback, defined by sub_41734, an attacker can send an HTTP request to trigger this vulnerability. SamsungSmartThingsHub is a smart home management device from South Korea's Samsung. video-coreHTTPserver is one of the HTTP servers