VARIoT IoT vulnerabilities database

Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. Cisco Bug IDs: CSCvg70967. Vendors have confirmed this vulnerability Bug ID CSCvg70967 It is released as.Information may be obtained and information may be altered. This component integrates agent application and self-service voice service, and provides functions such as call distribution and customer access control. The vulnerability stems from the program's insufficient validation of user-submitted data

A vulnerability in the CLI of Cisco Policy Suite could allow an authenticated, local attacker to access files owned by another user. The vulnerability is due to insufficient access control permissions (i.e., World-Readable). An attacker could exploit this vulnerability by logging in to the CLI. An exploit could allow the attacker to access potentially sensitive files that are owned by a different user. Cisco Bug IDs: CSCvh18087. Vendors have confirmed this vulnerability Bug ID CSCvh18087 It is released as.Information may be obtained. This solution provides functions such as user-based business rules, real-time management of applications and network resources

A vulnerability in the web upload function of Cisco Cloud Services Platform 2100 could allow an authenticated, remote attacker to obtain restricted shell access on an affected system. The vulnerability is due to insufficient input validation of parameters passed to a specific function within the user interface. An attacker could exploit this vulnerability by injecting code into a function parameter. Cisco Bug IDs: CSCvi12935. Cisco Cloud Services Platform 2100 Contains a buffer error vulnerability. Vendors report this vulnerability Bug IDs: CSCvi12935 Published as.Information is acquired, information is falsified, and denial of service (DoS) May be in a state

Multiple vulnerabilities in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a server-side request forgery (SSRF) attack. Cisco Bug IDs: CSCvg71018. Vendors have confirmed this vulnerability Bug ID CSCvg71018 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. A successful exploit may allow an attacker to obtain sensitive information, perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. Cisco Finesse is a set of call center management software developed by Cisco. The software improves call center service quality, improves customer experience, and increases agent satisfaction. A remote attacker can exploit this vulnerability to submit HTTP requests to arbitrary hosts by submitting specially crafted HTTP requests to the Cisco Finesse server

Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to retrieve a cleartext password. Cisco Bug IDs: CSCvg71040. Vendors have confirmed this vulnerability Bug ID CSCvg71040 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This component integrates agent application and self-service voice service, and provides functions such as call distribution and customer access control. A remote attacker could exploit this vulnerability by viewing an affected login form to retrieve clear text passwords

Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. Cisco Bug IDs: CSCvg70904. Vendors have confirmed this vulnerability Bug ID CSCvg70904 It is released as.Information may be obtained and information may be altered. This component integrates agent application and self-service voice service, and provides functions such as call distribution and customer access control. The vulnerability stems from the program's insufficient validation of user-submitted data

A Read-Only User Effect Change vulnerability in the Policy Builder interface of Cisco Policy Suite could allow an authenticated, remote attacker to make policy changes in the Policy Builder interface. The vulnerability is due to insufficient authorization controls. An attacker could exploit this vulnerability by accessing the Policy Builder interface and modifying an HTTP request. A successful exploit could allow the attacker to make changes to existing policies. Cisco Bug IDs: CSCvi35007. Vendors have confirmed this vulnerability Bug ID CSCvi35007 It is released as.Information may be tampered with. Successfully exploiting this issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions. This solution provides functions such as user-based business rules, real-time management of applications and network resources

A vulnerability in the web framework of the Cisco Unified Communications Manager IM and Presence Service software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain parameters passed to the web server. An attacker could exploit this vulnerability by convincing the user to access a malicious link or by intercepting the user request and injecting certain malicious code. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected site or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCve25985. Vendors have confirmed this vulnerability Bug ID CSCve25985 It is released as.Information may be obtained and information may be altered. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks

A vulnerability in the Policy Builder database of Cisco Policy Suite before 18.2.0 could allow an unauthenticated, remote attacker to connect directly to the Policy Builder database. The vulnerability is due to a lack of authentication. An attacker could exploit this vulnerability by connecting directly to the Policy Builder database. A successful exploit could allow the attacker to access and change any data in the Policy Builder database. Cisco Bug IDs: CSCvh06134. Cisco Policy Suite Is vulnerable to a lack of authentication for critical functions. Vendors have confirmed this vulnerability Bug ID CSCvh06134 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to bypass authentication mechanism and perform unauthorized actions. This may lead to further attacks. This solution provides functions such as user-based business rules, real-time management of applications and network resources

Multiple vulnerabilities in the web-based management interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack. Cisco Bug IDs: CSCvg70921. Vendors have confirmed this vulnerability Bug ID CSCvg70921 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This component integrates agent application and self-service voice service, and provides functions such as call distribution and customer access control. A remote attacker could exploit this vulnerability by convincing a user of the interface to open a specially crafted link to download, create, modify, and delete metadata files

Shenzhen Hanglisheng Technology Co., Ltd. has been committed to the research and development, production and sales of industrial automation products since its establishment. The company was formerly a trading company specializing in foreign industrial control products. There is a memory corruption vulnerability in the all-in-one configuration software 2.0 of Shenzhen Hanglisheng Technology Co., Ltd. The vulnerability is due to the failure of HMICreator-V2 to verify the addressability of data in malformed project files. An attacker could use the vulnerability to read an illegal file reference in the project file, causing memory corruption. Successful exploitation of this vulnerability could also result in arbitrary code execution

Fuzhou Fuchang Weikong Electronic Technology Co., Ltd. is a high-tech company specializing in the research, development and sales of products in the field of automation. industry. LeviStudio has a denial of service vulnerability. By constructing a malformed Font.hft file, an attacker can exploit the vulnerability to launch a denial of service attack. The company produces industrial man-machine interfaces and universal PLC And other products used in machinery supporting, metallurgy, chemical, petroleum and other industries

The D-LinkDIR-300 is a wireless router device. D-LinkDIR-300 has a cross-site request forgery vulnerability that allows an attacker to perform unauthorized operations, open remote access, and save settings.

Fuzhou Fuchang Weikong Electronic Technology Co., Ltd. is a technology company engaged in research, development and sales of products in the field of automation. Wecon PLC editor has a memory corruption vulnerability. The vulnerability is due to the need to call Tinyxml.dll when the program parses the project file and fails to parse the xml in the project file correctly. An attacker could exploit the vulnerability to cause memory corruption

A vulnerability in the VPN subsystem configuration in the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the affected parameter in a web page. The attacker must be authenticated to access the affected parameter. A successful exploit could allow the attacker to execute commands with root privileges. This vulnerability affects the following Cisco products if they are running a release of the Cisco SD-WAN Solution prior to Release 18.3.0: vBond Orchestrator Software, vEdge 100 Series Routers, vEdge 1000 Series Routers, vEdge 2000 Series Routers, vEdge 5000 Series Routers, vEdge Cloud Router Platform, vManage Network Management Software, vSmart Controller Software. Cisco Bug IDs: CSCvi69808, CSCvi69810, CSCvi69814, CSCvi69822, CSCvi69827, CSCvi69828, CSCvi69836. Cisco SD-WAN Solution Contains a command injection vulnerability. Vendors report this vulnerability CSCvi69808 , CSCvi69810 , CSCvi69814 , CSCvi69822 , CSCvi69827 , CSCvi69828 ,and CSCvi69836 Published as.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. CiscovBondOrchestratorSoftware and others are products of Cisco. CiscovBondOrchestratorSoftware is a set of secure network extension management software. The vEdge100SeriesRouters is a 100 Series router product. SD-WANSolution is a set of network expansion solutions running in it

A vulnerability in the configuration and monitoring service of the Cisco SD-WAN Solution could allow an authenticated, local attacker to execute arbitrary code with root privileges or cause a denial of service (DoS) condition on an affected device. The vulnerability is due to incomplete bounds checks for data that is provided by the configuration and monitoring service of the affected solution. An attacker could exploit this vulnerability by sending malicious data to the vDaemon listening service on an affected device. A successful exploit could allow the attacker to cause a buffer overflow condition on the affected device, which could allow the attacker to execute arbitrary code with root privileges on the device or cause the vDaemon listening service to reload and result in a DoS condition on the device. This vulnerability affects the following Cisco products if they are running a release of the Cisco SD-WAN Solution prior to Release 18.3.0: vBond Orchestrator Software, vEdge 100 Series Routers, vEdge 1000 Series Routers, vEdge 2000 Series Routers, vEdge 5000 Series Routers, vEdge Cloud Router Platform, vManage Network Management Software, vSmart Controller Software. Cisco Bug IDs: CSCvi70003. Cisco SD-WAN Solution Contains a buffer error vulnerability. Vendors have confirmed this vulnerability Bug ID CSCvi70003 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. CiscovBondOrchestratorSoftware and others are products of Cisco. CiscovBondOrchestratorSoftware is a set of secure network extension management software. The vEdge100SeriesRouters is a 100 Series router product. SD-WANSolution is a set of network expansion solutions running in it. Cisco SD-WAN Solution is prone to a local buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer

A vulnerability in the CLI of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting malicious input to the load command within the VPN subsystem. The attacker must be authenticated to access the affected CLI parameter. A successful exploit could allow an attacker to execute commands with root privileges. This vulnerability affects the following Cisco products if they are running a release of the Cisco SD-WAN Solution prior to Release 18.3.0: vBond Orchestrator Software, vEdge 100 Series Routers, vEdge 1000 Series Routers, vEdge 2000 Series Routers, vEdge 5000 Series Routers, vEdge Cloud Router Platform, vManage Network Management Software, vSmart Controller Software. Cisco Bug IDs: CSCvi69866. Cisco SD-WAN Solution Contains a command injection vulnerability. Vendors have confirmed this vulnerability Bug ID CSCvi69866 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. CiscovBondOrchestratorSoftware and others are products of Cisco. CiscovBondOrchestratorSoftware is a set of secure network extension management software. The vEdge100SeriesRouters is a 100 Series router product. SD-WANSolution is a set of network expansion solutions running in it. A CLI injection vulnerability exists in the CLI in versions prior to Cisco SD-WANSolution 18.3.0, which was caused by the program failing to perform sufficient input validation

A vulnerability in the vManage dashboard for the configuration and management service of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject and execute arbitrary commands with vmanage user privileges on an affected system. The vulnerability is due to insufficient input validation of data parameters for certain fields in the affected solution. An attacker could exploit this vulnerability by configuring a malicious username on the login page of the affected solution. A successful exploit could allow the attacker to inject and execute arbitrary commands with vmanage user privileges on an affected system. This vulnerability affects the following Cisco products if they are running a release of the Cisco SD-WAN Solution prior to Release 18.3.0: vBond Orchestrator Software, vEdge 100 Series Routers, vEdge 1000 Series Routers, vEdge 2000 Series Routers, vEdge 5000 Series Routers, vEdge Cloud Router Platform, vManage Network Management Software, vSmart Controller Software. Cisco Bug IDs: CSCvi69974. Cisco SD-WAN Solution Contains a command injection vulnerability. Vendors have confirmed this vulnerability Bug ID CSCvi69974 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. CiscovBondOrchestratorSoftware and others are products of Cisco. CiscovBondOrchestratorSoftware is a set of secure network extension management software. The vEdge100SeriesRouters is a 100 Series router product. SD-WANSolution is a set of network expansion solutions running in it

A vulnerability in the Zero Touch Provisioning (ZTP) subsystem of the Cisco SD-WAN Solution could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting malicious input to the affected parameter. The attacker must be authenticated to access the affected parameter. A successful exploit could allow an attacker to execute commands with root privileges. This vulnerability affects the following Cisco products if they are running a release of the Cisco SD-WAN Solution prior to Release 18.3.0: vEdge 100 Series Routers, vEdge 1000 Series Routers, vEdge 2000 Series Routers, vEdge 5000 Series Routers. Cisco Bug IDs: CSCvi69906. Cisco SD-WAN Solution Contains a command injection vulnerability. Vendors have confirmed this vulnerability Bug ID CSCvi69906 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SD-WANSolution is a set of network expansion solutions running in it. A command injection vulnerability exists in the ZeroTouchProvisioning (ZTP) subsystem in versions prior to Cisco SD-WANSolution 18.3.0, which stems from a program failing to perform input validation. Cisco SD-WAN is prone to a local command-injection vulnerability

A vulnerability in the command-line tcpdump utility in the Cisco SD-WAN Solution could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the tcpdump utility. The attacker must be authenticated to access the tcpdump utility. A successful exploit could allow the attacker to execute commands with root privileges. This vulnerability affects the following Cisco products if they are running a release of the Cisco SD-WAN Solution prior to Release 18.3.0: vBond Orchestrator Software, vEdge 100 Series Routers, vEdge 1000 Series Routers, vEdge 2000 Series Routers, vEdge 5000 Series Routers, vEdge Cloud Router Platform, vManage Network Management Software, vSmart Controller Software. Cisco Bug IDs: CSCvi69751. Cisco SD-WAN Solution Contains a command injection vulnerability. Vendors have confirmed this vulnerability Bug ID CSCvi69751 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. CiscovBondOrchestratorSoftware and others are products of Cisco. CiscovBondOrchestratorSoftware is a set of secure network extension management software. The vEdge100SeriesRouters is a 100 Series router product. SD-WANSolution is a set of network expansion solutions running in it. Cisco SD-WAN is prone to a local command-injection vulnerability