VARIoT IoT vulnerabilities database

On F5 BIG-IP 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, there is a reflected Cross Site Scripting (XSS) vulnerability in an undisclosed Configuration Utility page. F5 BIG-IP Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

The SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) stores the username and password within the cookies of a session. If an attacker gained access to these session cookies, it would be possible to gain access to the username and password of the logged-in account. SV3CL-SERIESHDCAMERA is a network camera product of China SV3C Technology Corporation. A security vulnerability exists in the SV3CL-SERIESHDCAMERAV2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B versions, which are caused by the program passing sensitive information in clear text. There is a security vulnerability in SV3C L-SERIES HD CAMERA V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B

On F5 BIG-IP 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, a reflected Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an authenticated user to execute JavaScript for the currently logged-in user. F5 BIG-IP Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. F5BIG-IP is an all-in-one network device that integrates network traffic management, application security management, load balancing and other functions

SV3C L-SERIES HD CAMERA V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B devices allow remote authenticated users to reset arbitrary accounts via a request to web/cgi-bin/hi3510/param.cgi. SV3C L-SERIES HD CAMERA The device contains an authorization vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SV3C L-SERIES HD CAMERA is a network camera product of China SV3C Technology Company. There are security vulnerabilities in SV3C L-SERIES HD CAMERA versions 2.3.4.2103-S50-NTD-B20170508B and 2.3.4.2103-S50-NTD-B20170823B

User Privilege Escalation in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1. There are security vulnerabilities in Moxa ThingsPro version 2.1. A remote attacker could use this vulnerability to gain higher permissions

Password Management Issue in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1. There are security vulnerabilities in Moxa ThingsPro version 2.1. A remote attacker could use this vulnerability to change a user's password

User Enumeration in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1. There are security vulnerabilities in Moxa ThingsPro version 2.1. A remote attacker could exploit this vulnerability to obtain a valid user password by implementing a brute-force attack

Privilege Escalation via Broken Access Control in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1. There are security vulnerabilities in Moxa ThingsPro version 2.1. A remote attacker could use this vulnerability to elevate privileges

Sensitive Information Stored in Clear Text in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1. An attacker could use this vulnerability to recover an access token

Remote Code Execution in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1. There are security vulnerabilities in Moxa ThingsPro version 2.1. A remote attacker could exploit this vulnerability to execute arbitrary code by injecting a command string

SV3C L-SERIES HD CAMERA V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B devices allow OS Command Injection. SV3C L-SERIES HD CAMERA The device includes OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SV3CL-SERIESHDCAMERA is a network camera product of China SV3C Technology Corporation. An operating system command injection vulnerability exists in the SV3CL-SERIESHDCAMERAV2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B versions due to the program's failure to detect user input. An attacker could exploit this vulnerability to execute arbitrary commands on an affected system

SV3C L-SERIES HD CAMERA V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B devices have a Hard-coded Password. SV3C L-SERIES HD CAMERA The device contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SV3C L-SERIES HD CAMERA is a network camera product of China SV3C Technology Company. There is a security vulnerability in SV3C L-SERIES HD CAMERA version 2.3.4.2103-S50-NTD-B20170508B and version 2.3.4.2103-S50-NTD-B20170823B. The vulnerability is due to the use of hard-coded passwords in the program. A remote attacker could exploit this vulnerability to gain root privileges on an affected device

Hidden Token Access in Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1. There are security vulnerabilities in Moxa ThingsPro version 2.1. A remote attacker could exploit this vulnerability with the help of a hidden API token to gain root privileges and execute arbitrary code

On F5 BIG-IP AFM 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, there is a Reflected Cross Site Scripting vulnerability in undisclosed TMUI page. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. F5 BIG-IP AFM is an advanced firewall product used to protect against DDos attacks from F5 Corporation of the United States. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML

On F5 BIG-IP AFM 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, there is a Reflected Cross Site Scripting vulnerability in undisclosed TMUI page. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. F5 BIG-IP AFM is an advanced firewall product used to protect against DDos attacks from F5 Corporation of the United States. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML

MSTAR is a set top box. There is a command injection vulnerability in MSTARSet-TopBOX. An attacker can exploit the vulnerability to execute arbitrary commands.

IBM FlashSystem 900 product GUI allows a specially crafted attack to bypass the authentication requirements of the system, resulting in the ability to remotely change the superuser password. This can be used by an attacker to gain administrative control or to deny service. IBM X-Force ID: 150296. IBM FlashSystem 900 The product contains authentication vulnerabilities. Vendors have confirmed this vulnerability IBM X-Force ID: 150296 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. are all enterprise-level storage solutions of IBM Corporation in the United States. The solution provides a full set of disaster recovery tools (including snapshot, clone and replication) to protect data security and use IBM Virtual Storage Center to realize virtualization configuration and performance management. GUI is one of the Graphical User Interfaces. The following products are affected: IBM FlashSystem 840 MTMs 9840-AE1; FlashSystem 840 MTMs 9843-AE1; FlashSystem 900 MTMs 9840-AE2; FlashSystem 900 MTMs 9840-AE29843-AE2

In F5 BIG-IP APM 13.0.0-13.1.1.1, APM Client 7.1.5-7.1.6, and/or Edge Client 7101-7160, the BIG-IP APM Edge Client component loads the policy library with user permission and bypassing the endpoint checks. Multiple F5 BIG-IP Products are prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks. Edge Client is an integrated remote access client used in BIG-IP solutions. A local attacker could exploit this vulnerability to bypass endpoint detection

When processing project files in Omron CX-Supervisor Versions 3.4.1.0 and prior and tampering with the value of an offset, an attacker can force the application to read a value outside of an array. Provided by OMRON Corporation CX-Supervisor Contains the following multiple vulnerabilities: * * Buffer overflow (CWE-119) - CVE-2018-17905 Processing a specially crafted project file causes memory corruption * * Read out of bounds (CWE-125) - CVE-2018-17907  Reading out-of-array values by processing a specially crafted project file * * Use of freed memory (Use-after-free) (CWE-416) - CVE-2018-17909 Processing arbitrary crafted project files results in arbitrary code execution * * Bad type conversion or cast (Incorrect Type Conversion or Cast) (CWE-704) - CVE-2018-17913 Processing arbitrary crafted project files results in arbitrary code executionA remote attacker could execute arbitrary code. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of OMRON CX-Supervisor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of SCS files. By manipulating a document's elements an attacker can trigger a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. The Omron CX-Supervisor is a visual machine controller from Omron, Japan. Omron CX-Supervisor is prone to the following security vulnerabilities: 1. Multiple remote code-execution vulnerabilities 2. A memory-corruption vulnerability 3

When processing project files in Omron CX-Supervisor Versions 3.4.1.0 and prior and tampering with a specific byte, memory corruption may occur within a specific object. Provided by OMRON Corporation CX-Supervisor Contains the following multiple vulnerabilities: * * Buffer overflow (CWE-119) - CVE-2018-17905 Processing a specially crafted project file causes memory corruption * * Read out of bounds (CWE-125) - CVE-2018-17907  Reading out-of-array values by processing a specially crafted project file * * Use of freed memory (Use-after-free) (CWE-416) - CVE-2018-17909 Processing arbitrary crafted project files results in arbitrary code execution * * Bad type conversion or cast (Incorrect Type Conversion or Cast) (CWE-704) - CVE-2018-17913 Processing arbitrary crafted project files results in arbitrary code executionA remote attacker could execute arbitrary code. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of OMRON CX-Supervisor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Omron CX-Supervisor is prone to the following security vulnerabilities: 1. Multiple remote code-execution vulnerabilities 2. A memory-corruption vulnerability 3. Omron CX-Supervisor is a visual machine controller produced by Omron Corporation of Japan. A buffer error vulnerability exists in Omron CX-Supervisor 3.4.1.0 and earlier