VARIoT IoT vulnerabilities database

FCN-500 controller is a controller used by Yokogawa Electric (China) Co., Ltd. for industrial control systems. The Yokogawa FCN-500 R4.02 controller has a denial of service vulnerability. The vulnerability stems from the failure of the built-in http service of the controller to check the length of the requested data. Attackers can use this vulnerability to cause a denial of service by constructing a special message. .

FCN-500 controller is a controller used by Yokogawa Electric (China) Co., Ltd. for industrial control systems. A denial of service vulnerability exists in the Yokogawa FCN-500 R4.02 controller telnet service, and an attacker could use this vulnerability to cause a denial of service.

NUUO CMS all versions 3.1 and prior, The application implements a method of user account control that causes standard account security features to not be utilized as intended, which could allow user account compromise and may allow for remote code execution. NUUO CMS Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NUUO CMS is a central software management platform from NUUO. The platform is used to centrally manage NVR (DVR), IP cameras and other devices, and provides user management and alarm management. A remote attacker could exploit the vulnerability to compromise a user's account and possibly execute code. NUUO CMS is prone to multiple remote code-execution and security-bypass vulnerabilities. Failed exploit attempts may result in a denial-of-service condition. NUUO CMS 3.1 and prior are vulnerable

NUUO CMS all versions 3.1 and prior, The application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access. NUUO CMS Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NUUO CMS is a central software management platform from NUUO. The platform is used to centrally manage NVR (DVR), IP cameras and other devices, and provides user management and alarm management. An attacker could exploit the vulnerability to gain elevated privileges. NUUO CMS is prone to multiple remote code-execution and security-bypass vulnerabilities. Failed exploit attempts may result in a denial-of-service condition. NUUO CMS 3.1 and prior are vulnerable

NUUO CMS all versions 3.1 and prior, The application uses insecure and outdated software components for functionality, which could allow arbitrary code execution. NUUO CMS Contains a code quality vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NUUO CMS is a central software management platform from NUUO. The platform is used to centrally manage NVR (DVR), IP cameras and other devices, and provides user management and alarm management. An attacker could exploit the vulnerability to execute arbitrary code. NUUO CMS is prone to multiple remote code-execution and security-bypass vulnerabilities. Failed exploit attempts may result in a denial-of-service condition. NUUO CMS 3.1 and prior are vulnerable

NUUO CMS all versions 3.1 and prior, The application uses a session identification mechanism that could allow attackers to obtain the active session ID, which could allow arbitrary remote code execution. NUUO CMS Contains a vulnerability in the use of insufficient random values.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NUUO CMS is a central software management platform from NUUO. The platform is used to centrally manage NVR (DVR), IP cameras and other devices, and provides user management and alarm management. There is a security hole in the session identification mechanism used in NUUO CMS 3.1 and earlier. A remote attacker could exploit the vulnerability to execute code. NUUO CMS is prone to multiple remote code-execution and security-bypass vulnerabilities. Failed exploit attempts may result in a denial-of-service condition. NUUO CMS 3.1 and prior are vulnerable

On install, Dell Encryption versions prior 10.0.1 and Dell Endpoint Security Suite Enterprise versions prior 2.0.1 will overwrite and manually set the "Minimum Password Length" group policy object to a value of 1 on that device. This allows for users to bypass any existing policy for password length and potentially create insecure password on their device. This value is defined during the installation of the "Encryption Management Agent" or "EMAgent" application. There are no other known values modified. An attacker could exploit this vulnerability to compromise an affected system

An insecure SSHD configuration in Juniper Device Manager (JDM) and host OS on Juniper NFX Series devices may allow remote unauthenticated access if any of the passwords on the system are empty. The affected SSHD configuration has the PermitEmptyPasswords option set to "yes". Affected releases are Juniper Networks Junos OS: 18.1 versions prior to 18.1R4 on NFX Series. Juniper Networks Junos OS Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. JuniperDeviceManager (JDM) is one of the device management components; hostOS is one of the host operating systems. A security vulnerability exists in JuniperDeviceManager (JDM) and hostOS on the JuniperNFXSeries device. An attacker could exploit the vulnerability for unauthorized remote access. This may aid in further attacks

When F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, 11.6.0-11.6.3.2, or 11.5.1-11.5.6 is processing specially crafted TCP traffic with the Large Receive Offload (LRO) feature enabled, TMM may crash, leading to a failover event. This vulnerability is not exposed unless LRO is enabled, so most affected customers will be on 13.1.x. LRO has been available since 11.4.0 but is not enabled by default until 13.1.0. plural F5 BIG-IP Product Contains a resource management vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. F5 BIG-IP is an all-in-one network device integrated with network traffic management, application security management, load balancing and other functions from F5 Corporation of the United States. A security vulnerability exists in the F5 BIG-IP. When the Large Receive Offload function is enabled, an attacker can exploit this vulnerability to cause TMM to restart. The following versions are affected: F5 BIG-IP version 13.0.0 to 13.1.0.5, 12.1.0 to 12.1.3.5, 11.6.0 to 11.6.3.2, 11.5.1 to 11.5.6

The QLogic 4Gb Fibre Channel 5.5.2.6.0 and 4/8Gb SAN 7.10.1.20.0 modules for IBM BladeCenter have an undocumented support account with a support password, an undocumented diags account with a diags password, and an undocumented prom account with a prom password. Both QLogic 4Gb Fiber Channel for IBM BladeCenter and QLogic 4/8Gb SAN for IBM BladeCenter are switch modules suitable for IBM BladeCenter from QLogic Corporation of the United States. A security vulnerability exists in QLogic 4Gb Fiber Channel for IBM BladeCenterl version 5.5.2.6.0 and QLogic 4/8Gb SAN for IBM BladeCenter version 7.10.1.20.0. An attacker could exploit this vulnerability to obtain sensitive information

Insufficient access control in driver stack for Intel QuickAssist Technology for Linux before version 4.2 may allow an unprivileged user to potentially disclose information via local access. Intel Has released an update for each product.The expected impact depends on each vulnerability, but can be affected as follows: * Service operation interruption (DoS) * information leak * any WebGL Code execution. Intel QuickAssist Technology for Linux is a data management technology based on the Linux platform of Intel Corporation of the United States. It is mainly used to enhance the security and compression performance of dynamic data and static data in cloud, network, big data and storage applications. A local attacker could exploit this vulnerability to disclose information

Insufficient session validation in the webserver component of the Intel Rapid Web Server 3 may allow an unauthenticated user to potentially disclose information via network access. IntelRapidWebServer is a fast storage server from Intel Corporation of the United States. Webserver is one of the web server components. A security vulnerability exists in the webserver component of the IntelRapidWebServer3 release. An attacker could exploit the vulnerability to gain information by accessing the network

Insufficient input validation in BIOS update utility in Intel NUC FW kits downloaded before May 24, 2018 may allow a privileged user to potentially trigger a denial of service or information disclosure via local access. Intel Has released an update for each product.The expected impact depends on each vulnerability, but can be affected as follows: * Service operation interruption (DoS) * information leak * any WebGL Code execution. Intel NUC FW kits is a mini desktop computer produced by Intel Corporation. The BIOS update utility is one of the BIOS() update utilities. A local attacker could exploit this vulnerability to cause denial of service or information disclosure

Improper password hashing in firmware in Intel Server Board (S7200AP,S7200APR) and Intel Compute Module (HNS7200AP, HNS7200AP) may allow a privileged user to potentially disclose firmware passwords via local access. Intel Server Board is a server motherboard. Compute Module is a computing module. A local attacker could exploit this vulnerability to obtain the firmware password

A vulnerability in the IP next-hop index database in Junos OS 17.3R3 may allow a flood of ARP requests, sent to the management interface, to exhaust the private Internal routing interfaces (IRIs) next-hop limit. Once the IRI next-hop database is full, no further next hops can be learned and existing entries cannot be cleared, leading to a sustained denial of service (DoS) condition. An indicator of compromise for this issue is the report of the following error message: %KERN-4: Nexthop index allocation failed: private index space exhausted This issue only affects the management interface, and does not impact regular transit traffic through the FPCs. This issue also only affects Junos OS 17.3R3. No prior versions of Junos OS are affected by this issue. Affected releases are Juniper Networks Junos OS: 17.3R3. Juniper Networks Junos OS Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. The operating system provides a secure programming interface and Junos SDK. IP next-hop index database is one of the index database components. An attacker can exploit this vulnerability to cause a denial of service by sending a large number of ARP requests to the management interface

Permissions in the driver pack installers for Intel NVMe before version 4.0.0.1007 and Intel RSTe before version 4.7.0.2083 may allow an authenticated user to potentially escalate privilege via local access. Intel NVMe and RSTe Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both Intel NVMe and RSTe are products of Intel Corporation of the United States. Intel NVMe is an open logical device interface specification for accessing non-volatile storage media attached via the PCI Express (PCIe) bus. RSTe is an embedded fast storage software. Driver pack installers is one of the driver installers. A local attacker could exploit this vulnerability to elevate privileges

A Denial of Service vulnerability in J-Web service may allow a remote unauthenticated user to cause Denial of Service which may prevent other users to authenticate or to perform J-Web operations. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D77 on SRX Series; 12.3 versions prior to 12.3R12-S10; 12.3X48 versions prior to 12.3X48-D60 on SRX Series; 15.1 versions prior to 15.1R7; 15.1F6; 15.1X49 versions prior to 15.1X49-D120 on SRX Series; 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400 Series; 15.1X53 versions prior to 15.1X53-D67 on QFX10K Series; 15.1X53 versions prior to 15.1X53-D234 on QFX5200/QFX5110 Series; 15.1X53 versions prior to 15.1X53-D470, 15.1X53-D495 on NFX Series; 16.1 versions prior to 16.1R6; 16.2 versions prior to 16.2R2-S6, 16.2R3; 17.1 versions prior to 17.1R2-S6, 17.1R3; 17.2 versions prior to 17.2R3; 17.3 versions prior to 17.3R2. No other Juniper Networks products or platforms are affected by this issue. Juniper Networks Junos OS Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Juniper Junos is prone to a denial-of-service vulnerability. An attacker may exploit this issue to cause denial-of-service conditions. The operating system provides a secure programming interface and Junos SDK. J-Web service is one of the Web service components

A denial of service vulnerability in the telnetd service on Junos OS allows remote unauthenticated users to cause high CPU usage which may affect system performance. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D81 on SRX Series; 12.3 versions prior to 12.3R12-S11; 12.3X48 versions prior to 12.3X48-D80 on SRX Series; 15.1 versions prior to 15.1R7; 15.1X49 versions prior to 15.1X49-D150, 15.1X49-D160 on SRX Series; 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400 Series; 15.1X53 versions prior to 15.1X53-D68 on QFX10K Series; 15.1X53 versions prior to 15.1X53-D235 on QFX5200/QFX5110 Series; 15.1X53 versions prior to 15.1X53-D495 on NFX Series; 16.1 versions prior to 16.1R4-S12, 16.1R6-S6, 16.1R7; 16.2 versions prior to 16.2R2-S7, 16.2R3; 17.1 versions prior to 17.1R2-S9, 17.1R3; 17.2 versions prior to 17.2R2-S6, 17.2R3; 17.2X75 versions prior to 17.2X75-D100; 17.3 versions prior to 17.3R2-S4, 17.3R3; 17.4 versions prior to 17.4R1-S5, 17.4R2; 18.2X75 versions prior to 18.2X75-D5. Juniper Networks Junos OS Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Juniper Junos is prone to a denial-of-service vulnerability. An attacker may exploit this issue to cause denial-of-service conditions. Juniper Junos OS is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware systems. The operating system provides a secure programming interface and Junos SDK. telnetd service is one of the remote access service components

An improper input validation weakness in the device control daemon process (dcd) of Juniper Networks Junos OS allows an attacker to cause a Denial of Service to the dcd process and interfaces and connected clients when the Junos device is requesting an IP address for itself. Junos devices are not vulnerable to this issue when not configured to use DHCP. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D40 on SRX Series; 12.3X48 versions prior to 12.3X48-D20 on SRX Series; 14.1X53 versions prior to 14.1X53-D40 on EX2200/VC, EX3200, EX3300/VC, EX4200, EX4300, EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600, QFX5100; 15.1X49 versions prior to 15.1X49-D20 on SRX Series; 15.1X53 versions prior to 15.1X53-D68 on QFX10000 Series; 15.1X53 versions prior to 15.1X53-D235 on QFX5200/QFX5110; 15.1X53 versions prior to 15.1X53-D495 on NFX150, NFX250; 15.1X53 versions prior to 15.1X53-D590 on EX2300/EX3400; 15.1 versions prior to 15.1R7-S2. Juniper Networks Junos OS Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Juniper Junos is prone to a denial-of-service vulnerability. An attacker may exploit this issue to cause denial-of-service conditions. Juniper Junos OS is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware systems. The operating system provides a secure programming interface and Junos SDK

A persistent cross-site scripting vulnerability in the graphical user interface of ScreenOS may allow a remote authenticated user to inject web script or HTML and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. Affected releases are Juniper Networks ScreenOS 6.3.0 versions prior to 6.3.0r26. Juniper Networks ScreenOS Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Juniper ScreenOS is prone to a HTML-injection vulnerability because it fails to sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible