VARIoT IoT vulnerabilities database

An issue was discovered on Orbic Wonder Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys devices. Any app co-located on the device can send an intent to factory reset the device programmatically because of com.android.server.MasterClearReceiver. This does not require any user interaction and does not require any permission to perform. A factory reset will remove all user data from the device. This will result in the loss of any data that the user has not backed up or synced externally. This capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves), although this capability is present in an unprotected component of the Android OS. This vulnerability is not present in Google's Android Open Source Project (AOSP) code. Therefore, it was introduced by Orbic or another entity in the supply chain. Orbic Wonder RC555L Devices have vulnerabilities related to authorization, permissions, and access control.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. Orbic Wonder is a smart phone product of Orbic Company in the United States. Orbic/RC555L/RC555L by Orbic Wonder: 7.1.2/N2G47H/329100b: A security vulnerability exists in user/release-keys

Technicolor (formerly RCA) TC8305C devices allow remote attackers to cause a denial of service (networking outage) via a flood of random MAC addresses, as demonstrated by macof. NOTE: this might overlap CVE-2018-15852 and CVE-2018-16310. NOTE: Technicolor denies that the described behavior is a vulnerability and states that Wi-Fi traffic is slowed or stopped only while the devices are exposed to a MAC flooding attack. This has been confirmed through testing against official up-to-date versions. ** Unsettled ** This case has not been confirmed as a vulnerability. Technicolor ( alias RCA) TC8305C The device contains vulnerabilities related to security functions. The vendor has disputed this vulnerability. For details, see NVD of Current Description Please Confirm. https://nvd.nist.gov/vuln/detail/CVE-2018-15907Service operation interruption (DoS) There is a possibility of being put into a state. TechnicolorTC8305C is a modem from the French Technicolor group. A buffer overflow vulnerability exists in TechnicolorTC8305C. An attacker could exploit the vulnerability to break a network connection

The Alcatel A30 device with a build fingerprint of TCL/5046G/MICKEY6US:7.0/NRD90M/J63:user/release-keys contains a hidden privilege escalation capability to achieve command execution as the root user. They have made modifications that allow a user with physical access to the device to obtain a root shell via ADB. Modifying the read-only properties by an app as the system user creates a UNIX domain socket named factory_test that will execute commands as the root user by processes that have privilege to access it (as per the SELinux rules that the vendor controls). Alcatel A30 Devices have vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Alcatel A30 is a smartphone product. A security vulnerability exists in Alcatel A30 (with TCL/5046G/MICKEY6US:7.0/NRD90M/J63:user/release-keys). An attacker can exploit this vulnerability to execute commands as the root user

Yamaha routers RT57i Rev.8.00.95 and earlier, RT58i Rev.9.01.51 and earlier, NVR500 Rev.11.00.36 and earlier, RTX810 Rev.11.01.31 and earlier, allow an administrative user to embed arbitrary scripts to the configuration data through a certain form field of the configuration page, which may be executed on another administrative user's web browser. This is a different vulnerability from CVE-2018-0666. The management screen of multiple network devices provided by Yamaha Corporation contains multiple script injection vulnerabilities (CWE-74). The following researchers reported the vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2018-0665 Hayato Doi of Kanazawa Institute of Technology CVE-2018-0666 Tomonori Yamamoto of Mitsui Bussan Secure Directions, Inc.In the case where multiple administrators manage an affected device, an administrator with malicious intent may embed an arbitrary script into the management screen. The embedded script may be executed when another administrator logs into the screen. YamahaBroadband VoIPRouterRT57i and so on are all Yamaha Corporation router products. NVR500 Broadband VoIP Router is a router. A security vulnerability exists in the management interface in several Yamaha products. The following products and versions are affected: Yamaha Corporation FWX120 Firewall Rev.11.03.25 and earlier; NVR500 Broadband VoIP Router Rev.11.00.36 and earlier; RT57i Broadband VoIP Router Rev.8.00.95 and earlier; RT58i Broadband VoIP Router Rev.9.01.51 and earlier versions; RTX810 Gigabit VPN Router Rev.11.01.33 and earlier versions

Yamaha routers RT57i Rev.8.00.95 and earlier, RT58i Rev.9.01.51 and earlier, NVR500 Rev.11.00.36 and earlier, RTX810 Rev.11.01.31 and earlier, allow an administrative user to embed arbitrary scripts to the configuration data through a certain form field of the configuration page, which may be executed on another administrative user's web browser. This is a different vulnerability from CVE-2018-0665. The management screen of multiple network devices provided by Yamaha Corporation contains multiple script injection vulnerabilities (CWE-74). The following researchers reported the vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2018-0665 Hayato Doi of Kanazawa Institute of Technology CVE-2018-0666 Tomonori Yamamoto of Mitsui Bussan Secure Directions, Inc.In the case where multiple administrators manage an affected device, an administrator with malicious intent may embed an arbitrary script into the management screen. The embedded script may be executed when another administrator logs into the screen. Yamaha Broadband VoIP Router RT57i and so on are all Yamaha Corporation router products. A security vulnerability exists in the management interface in several Yamaha products

Cybrotech CyBroHttpServer 1.0.3 allows Directory Traversal via a ../ in the URI. Cybrotech CyBroHttpServer Contains a path traversal vulnerability.Information may be obtained. CybrotechCyBroHttpServer is a communication server from Cybrotech, UK, for reading/writing CyBro variables by name. An attacker could use the vulnerability in \342\200\230../\342\200\231 to read sensitive information

Infoblox NetMRI 7.1.1 has Reflected Cross-Site Scripting via the /api/docs/index.php query parameter. InfobloxNetMRI is a network automation product from Infoblox, USA that provides automated network discovery, switch port management, network change automation, and continuous configuration compliance management for routers, switches, and other network devices. A remote attacker can exploit this vulnerability to inject arbitrary web scripts or HTML by sending a \342\200\230query\342\200\231 parameter to the /api/docs/index.php file

An issue was discovered on D-Link DIR-601 2.02NA devices. Being local to the network and having only "User" account (which is a low privilege account) access, an attacker can intercept the response from a POST request to obtain "Admin" rights due to the admin password being displayed in XML. D-Link DIR-601 Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDIR-601 is a wireless router product from D-Link. A security vulnerability exists in the D-LinkDIR-6012.02NA release, which stems from the inclusion of an administrator password in the XML. A local attacker could exploit the vulnerability to gain administrative privileges by hijacking the response to a POST request. ------------------------------------------ [Vulnerability Type] Insecure Permissions ------------------------------------------ [VulnerabilityType Other] Privilege Escalation ------------------------------------------ [Vendor of Product] D-Link ------------------------------------------ [Affected Product Code Base] DIR-601 - 2.02NA ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Kevin Randall

A Permissions, Privileges, and Access Control vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). The vulnerability allows unauthorized users to overwrite the original password with their password. If an attacker exploits this vulnerability and overwrite the password, the attacker can upload the original program from the PLC. The Modicon M221 is a logic controller from Schneider Electric. Attackers can exploit these issues to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks

A Permissions, Privileges, and Access Control vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). The vulnerability allows unauthorized users to decode the password using rainbow table. The Modicon M221 is a logic controller from Schneider Electric. Attackers can exploit these issues to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks

An exploitable vulnerability exists in the REST parser of video-core's HTTP server of the Samsung SmartThings Hub STH-ETH-250-Firmware version 0.20.17. The video-core process incorrectly handles pipelined HTTP requests, which allows successive requests to overwrite the previously parsed HTTP method, URL and body. With the implementation of the on_body callback, defined by sub_41734, an attacker can send an HTTP request to trigger this vulnerability. SamsungSmartThingsHub is a smart home management device from South Korea's Samsung. video-coreHTTPserver is one of the HTTP servers

Mate 10 Pro Huawei smart phones with the versions before BLA-L29 8.0.0.148(C432) have a Factory Reset Protection (FRP) bypass security vulnerability. When re-configuring the mobile phone using the factory reset protection (FRP) function, an attacker can connect the phone with PC and send special instructions to install third party desktop and disable the boot wizard. As a result, the FRP function is bypassed. Mate 10 Pro Huawei Smartphones have vulnerabilities related to security functions.Information may be tampered with. HuaweiMate10Pro is a smartphone product of China's Huawei company

An exploitable buffer overflow vulnerability exists in the /cameras/XXXX/clips handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 Firmware version 0.20.17. The strncpy call overflows the destination buffer, which has a size of 52 bytes. An attacker can send an arbitrarily long 'endTime' value in order to exploit this vulnerability. An attacker can send an HTTP request to trigger this vulnerability. Samsung SmartThings Hub STH-ETH-250 The firmware contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SamsungSmartThingsHub is a smart home management device from South Korea's Samsung. video-coreHTTPserver is one of the HTTP servers

An exploitable stack-based buffer overflow vulnerability exists in the retrieval of database fields in the video-core HTTP server of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The strcpy call overflows the destination buffer, which has a size of 136 bytes. An attacker can send an arbitrarily long 'directory' value in order to exploit this vulnerability. An attacker can send an HTTP request to trigger this vulnerability. Samsung SmartThings Hub STH-ETH-250 The firmware contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SamsungSmartThingsHub is a smart home management device from South Korea's Samsung. video-coreHTTPserver is one of the HTTP servers

D-Link DIR-615 devices have a buffer overflow via a long Authorization HTTP header. D-Link DIR-615 Devices contain a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDIR-615 is a small wireless router product from D-Link. A buffer overflow vulnerability exists in D-LinkDIR-615. An attacker could exploit the vulnerability with a longer Authorization HTTP header to log off the router and cause a network outage

RICOH MP C4504ex devices allow HTML Injection via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter. RICOH MP C4504ex The device contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. RICOH MP C4504ex is a multi-function printer produced by Ricoh Corporation of Japan. A cross-site request forgery vulnerability exists in RICOH MP C4504ex. A remote attacker could exploit this vulnerability to add an administrator account by sending the 'entryNameIn' parameter to the /web/entry/en/address/adrsSetUserWizard.cgi URL

A vulnerability in Cisco Data Center Network Manager software could allow an authenticated, remote attacker to conduct directory traversal attacks and gain access to sensitive files on the targeted system. The vulnerability is due to improper validation of user requests within the management interface. An attacker could exploit this vulnerability by sending malicious requests containing directory traversal character sequences within the management interface. An exploit could allow the attacker to view or create arbitrary files on the targeted system. This issue is being tracked by Cisco Bug ID CSCvj86072. The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions

A Cross Protocol Injection vulnerability exists in Schneider Electric's PowerLogic (PM5560 prior to FW version 2.5.4) product. The vulnerability makes the product susceptible to cross site scripting attack on its web browser. User inputs can be manipulated to cause execution of java script code. Schneider Electric PowerLogic PM5560 Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. The Schneider Electric PowerLogic PM5560 is a versatile power metering device from Schneider Electric, France. A remote attacker can exploit the vulnerability to manipulate JavaScript code by manipulating input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks

ABB eSOMS version 6.0.2 may allow unauthorized access to the system when LDAP is set to allow anonymous authentication, and specific key values within the eSOMS web.config file are present. Both conditions are required to exploit this vulnerability. ABB eSOMS Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ABB eSOMS is a set of factory operation management system of Swiss ABB company. ABB eSOMS 6.0.2 version has an authorization vulnerability. Attackers can use this vulnerability to gain unauthorized access to the system. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks

In Huawei HiRouter-CD20-10 with the versions before 1.9.6 and WS5200-10 with the versions before 1.9.6, there is a plug-in signature bypass vulnerability due to insufficient plug-in verification. An attacker may tamper with a legitimate plug-in to build a malicious plug-in and trick users into installing it. Successful exploit could allow the attacker to obtain the root permission of the device and take full control over the device. Huawei HiRouter-CD20-10 and WS5200-10 Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Huawei HiRouter-CD20 and WS5200-10 are both home router products released by Huawei