VARIoT IoT vulnerabilities database

An Improper Authentication issue was discovered in Newport XPS-Cx and XPS-Qx. An attacker may bypass authentication by accessing a specific uniform resource locator (URL). NewportXPS-Cx is a device controller from Newport, USA, and XPS-Qx is another version of it. There are licensing issues in NewportXPS-Cx and XPS-Qx. This may lead to further attacks. All versions of XPS-Cx,XPS-Qx are vulnerable

A Password in Configuration File issue was discovered in Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401, DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125, DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414, DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421, DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928, and DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build 160106 devices. The password in configuration file vulnerability could allow a malicious user to escalate privileges or assume the identity of another user and access sensitive information. plural Hikvision The product contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. HikvisionDS-2CD2xx2F-ISeries and other are the webcam products of Hikvision. Multiple Hikvision Cameras are prone to an information-disclosure vulnerability and an authentication-bypass vulnerability. Other attacks are also possible. Hikvision DS-2CD2xx2F-I Series are all network camera products of China Hikvision Company. Security flaws exist in several Hikvision products

A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH-HCVR5XXX, DHI-HCVR51A04HE-S3, DHI-HCVR51A08HE-S3, and DHI-HCVR58A32S-S2 devices. The password in configuration file vulnerability was identified, which could lead to a malicious user assuming the identity of a privileged user and gaining access to sensitive information. plural Dahua The product contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Dahua DH-IPC-HDBW23A0RN-ZS is a camera product of Dahua Company of China. Dahua Technology is prone to an authentication-bypass vulnerability and an information-disclosure vulnerability. Attackers may exploit these issues to gain unauthorized access to restricted content by bypassing intended security restrictions or to obtain sensitive information that may aid in launching further attacks. Dahua DH-IPC-HDBW23A0RN-ZS, etc. There are security vulnerabilities in many Dahua products. The following products are affected: Dahua DH-IPC-HDBW23A0RN-ZS; DH-IPC-HDBW13A0SN; DH-IPC-HDW1XXX; DH-IPC-HDW2XXX; DH-IPC-HDW4XXX; DH-IPC-HFW4XXX; DH-SD6CXX; DH-NVR1XXX; DH-HCVR4XXX; DH-HCVR5XXX; DHI-HCVR51A04HE-S3; DHI-HCVR51A08HE-S3;

plural Dahua The product contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Dahua Technology Authentication is an access control reader produced by Dahua Technology. Dahua Technology Authentication has an authentication vulnerability. An attacker could exploit the vulnerability to gain unauthorized access to restricted content by bypassing expected security restrictions. Dahua DH-IPC-HDBW23A0RN-ZS, etc. are all camera products of Dahua Company in China. A security vulnerability exists in several Dahua products due to the program's use of password hashes instead of passwords to perform authentication. The following products are affected: Dahua DH-IPC-HDBW23A0RN-ZS; DH-IPC-HDBW13A0SN; DH-IPC-HDW1XXX; DH-IPC-HDW2XXX; DH-IPC-HDW4XXX; DH-IPC-HFW4XXX; DH-SD6CXX; DH-NVR1XXX; DH-HCVR4XXX; DH-HCVR5XXX; DHI-HCVR51A04HE-S3; DHI-HCVR51A08HE-S3;

WNC01WH firmware 1.0.0.9 and earlier allows authenticated attackers to execute arbitrary OS commands via unspecified vectors. WNC01WH provided by BUFFALO INC. is a network camera. WNC01WH contains an OS command injection vulnerability (CWE-78). Kiyotaka ATSUMI of LAC Co., Ltd. reported this vulnerability to IPA. Enables a locally authenticated attacker to perform command injection attacks. A security vulnerability exists in Buffalo WNC01WH devices using firmware versions 1.0.0.9 and earlier

A path traversal information disclosure vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which an unauthenticated user can execute arbitrary code and exfiltrate files. Authentication is not required to exploit this vulnerability. The specific flaw exists within runscript.php applet. There is a directory traversal vulnerability in the processing of the 's' parameter of the applet. An attacker can leverage this vulnerability to disclose files from the system. U.motion Builder is a generator product from Schneider Electric, France. An SQL-injection vulnerability 2. A directory-traversal vulnerability 3. An information-disclosure vulnerability 5. A local code-execution vulnerability 6. A local denial-of-Service vulnerability 7. An information-disclosure vulnerability Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, bypass authentication mechanism, obtain sensitive information, execute arbitrary code and perform unauthorized actions. Failed exploits can result in a denial-of-service condition

A SQL injection vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which an unauthenticated user can use calls to various paths allowing performance of arbitrary SQL commands against the underlying database. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Schneider Electric U.motion Builder. Authentication is not required to exploit this vulnerability.The specific flaw exists within processing of applets which are exposed on the web service. The underlying SQLite database query to determine whether a user is logged in is subject to SQL injection on the loginSeed parameter, which can be embedded in the HTTP cookie of the request. A remote attacker can leverage this vulnerability to execute arbitrary commands against the database. U.motion Builder is a generator product from Schneider Electric, France. An SQL-injection vulnerability 2. A directory-traversal vulnerability 3. An authentication bypass vulnerability 4. An information-disclosure vulnerability 5. A local code-execution vulnerability 6. A local denial-of-Service vulnerability 7. An information-disclosure vulnerability Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, bypass authentication mechanism, obtain sensitive information, execute arbitrary code and perform unauthorized actions. Failed exploits can result in a denial-of-service condition

A vulnerability exists in Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 that allows the use of outdated cipher suites and improper verification of peer SSL Certificate. Schneider Electric's PowerSCADA Anywhere and Citect Anywhere Contains a certificate validation vulnerability.Information may be obtained. PowerSCADA Anywhere is SCADA and power monitoring software. Citect is an industrial automation operation and monitoring software. The program used an expired password and incorrectly verified the SSL certificate. An attacker could exploit the vulnerability to perform a man-in-the-middle attack or impersonate a trusted server. Schneider Electric PowerSCADA Anywhere and Citect Anywhere are prone to the following security vulnerabilities: 1. A cross-site request-forgery vulnerability 2. An information-disclosure vulnerability 3. Multiple security-bypass vulnerabilities Exploiting these issues could allow an attacker to obtain sensitive information, bypass certain security restrictions, perform unauthorized actions, or gain access to the affected system. Following products and versions are vulnerable: PowerSCADA Anywhere 1.0 redistributed with PowerSCADA Expert 8.1 and PowerSCADA Expert 8.2 Citect Anywhere 1.0

A vulnerability exists in Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 that allows the ability to escape out of remote PowerSCADA Anywhere applications and launch other processes. Schneider Electric's PowerSCADA Anywhere and Citect Anywhere Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. PowerSCADA Anywhere is SCADA and power monitoring software. Citect is an industrial automation operation and monitoring software. PowerSCADA Anywhere 1.0 and Citect Anywhere version 1.0 have bugs in the implementation of command delimiters. Attackers with close network locations can escape remote applications and start other processes. Schneider Electric PowerSCADA Anywhere and Citect Anywhere are prone to the following security vulnerabilities: 1. A cross-site request-forgery vulnerability 2. An information-disclosure vulnerability 3. Multiple security-bypass vulnerabilities Exploiting these issues could allow an attacker to obtain sensitive information, bypass certain security restrictions, perform unauthorized actions, or gain access to the affected system. Following products and versions are vulnerable: PowerSCADA Anywhere 1.0 redistributed with PowerSCADA Expert 8.1 and PowerSCADA Expert 8.2 Citect Anywhere 1.0

A vulnerability exists in Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 that allows the ability to specify Arbitrary Server Target Nodes in connection requests to the Secure Gateway and Server components. Schneider Electric's PowerSCADA Anywhere and Citect Anywhere Contains an access control vulnerability.Information may be obtained. PowerSCADA Anywhere is SCADA and power monitoring software. Citect is an industrial automation operation and monitoring software. There are information disclosure vulnerabilities in the implementation of PowerSCADA Anywhere 1.0 and Citect Anywhere 1.0. An attacker with a close network location can specify any server target node in the connection request. Schneider Electric PowerSCADA Anywhere and Citect Anywhere are prone to the following security vulnerabilities: 1. A cross-site request-forgery vulnerability 2. An information-disclosure vulnerability 3. Multiple security-bypass vulnerabilities Exploiting these issues could allow an attacker to obtain sensitive information, bypass certain security restrictions, perform unauthorized actions, or gain access to the affected system. Following products and versions are vulnerable: PowerSCADA Anywhere 1.0 redistributed with PowerSCADA Expert 8.1 and PowerSCADA Expert 8.2 Citect Anywhere 1.0

A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type of attack requires some level of social engineering in order to get a legitimate user to click on or access a malicious link/site containing the CSRF attack. Schneider Electric's PowerSCADA Anywhere and Citect Anywhere Contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. PowerSCADA Anywhere is SCADA and power monitoring software. Citect is an industrial automation operation and monitoring software. Schneider Electric PowerSCADA Anywhere and Citect Anywhere are prone to the following security vulnerabilities: 1. A cross-site request-forgery vulnerability 2. An information-disclosure vulnerability 3. Multiple security-bypass vulnerabilities Exploiting these issues could allow an attacker to obtain sensitive information, bypass certain security restrictions, perform unauthorized actions, or gain access to the affected system. Following products and versions are vulnerable: PowerSCADA Anywhere 1.0 redistributed with PowerSCADA Expert 8.1 and PowerSCADA Expert 8.2 Citect Anywhere 1.0

A DLL Hijacking vulnerability in the programming software in Schneider Electric's SoMachine HVAC v2.1.0 allows a remote attacker to execute arbitrary code on the targeted system. The vulnerability exists due to the improper loading of a DLL. SoMachine HVAC is a PLC programming software

An Improper Authentication issue was discovered in OSIsoft PI Server 2017 PI Data Archive versions prior to 2017. PI Data Archive has protocol flaws with the potential to expose change records in the clear and allow a malicious party to spoof a server within a collective. The OSIsoft PI System is a suite of data acquisition, analysis, and visualization software. PI Server is the core product of PI System. The OSIsoft PI Server has a certification bypass vulnerability. An attacker could exploit the vulnerability to bypass the authentication mechanism and perform unauthorized operations. This may aid in further attacks

An Improper Authentication issue was discovered in OSIsoft PI Server 2017 PI Data Archive versions prior to 2017. PI Network Manager using older protocol versions contains a flaw that could allow a malicious user to authenticate with a server and then cause PI Network Manager to behave in an undefined manner. The OSIsoft PI System is a suite of data acquisition, analysis, and visualization software. PI Server is the core product of PI System. The OSIsoft PI Server has a certification bypass vulnerability. An attacker could exploit the vulnerability to bypass the authentication mechanism and perform unauthorized operations. This may aid in further attacks

In ABB IP GATEWAY 3.39 and prior, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to access the configuration files and application pages without authentication. ABB IP GATEWAY Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ABB IP GATEWAY is a building management system from ABB Switzerland. There are security holes in ABB IP GATEWAY 3.39 and earlier. An attacker could exploit the vulnerability to gain unauthorized access to a profile or application's page with a specially crafted URL. An authentication-bypass vulnerability 2. A cross-site request-forgery vulnerability 3

In ABB IP GATEWAY 3.39 and prior, some configuration files contain passwords stored in plain-text, which may allow an attacker to gain unauthorized access. ABB IP GATEWAY Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ABB IP GATEWAY is a building management system from ABB Switzerland. A security vulnerability exists in ABB IP GATEWAY 3.39 and earlier. This vulnerability stems from the fact that some configuration files contain passwords in clear text. An attacker could exploit this vulnerability to gain unauthorized access. An authentication-bypass vulnerability 2. A cross-site request-forgery vulnerability 3

A buffer overflow vulnerability exists in Programming Software executable AlTracePrint.exe, in Schneider Electric's SoMachine HVAC v2.1.0 for Modicon M171/M172 Controller. SoMachine HVAC is a PLC programming software. This vulnerability stems from a security vulnerability in the call to AlTracePrint.exe, which can be exploited by an attacker to cause a buffer overflow. Schneider Electric SoMachine HVAC is prone to a local buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Successful exploits may allow attackers to execute arbitrary code in context of the application. Failed exploits may result in denial-of-service conditions. Schneider Electric SoMachine HVAC 2.1.0 is vulnerable; other versions may also be affected

An Improper Access Control issue was discovered in Schweitzer Engineering Laboratories (SEL) SEL-3620 and SEL-3622 Security Gateway Versions R202 and, R203, R203-V1, R203-V2 and, R204, R204-V1. The device does not properly enforce access control while configured for NAT port forwarding, which may allow for unauthorized communications to downstream devices. An attacker could exploit the vulnerability to communicate with downstream devices. Attackers can exploit this issue to gain unauthorized access to the affected device. This may aid in further attacks. The following versions are vulnerable: SEL-3620 R202, R203, R203-V1, R203-V2, R204, and R204-V1 SEL-3622 R202, R203, R203-V1, R203-V2, R204, and R204-V1

An improper certificate validation issue was discovered in NXP i.MX 28 i.MX 50, i.MX 53, i.MX 7Solo i.MX 7Dual Vybrid VF3xx, Vybrid VF5xx, Vybrid VF6xx, i.MX 6ULL, i.MX 6UltraLite, i.MX 6SoloLite, i.MX 6Solo, i.MX 6DualLite, i.MX 6SoloX, i.MX 6Dual, i.MX 6Quad, i.MX 6DualPlus, and i.MX 6QuadPlus. When the device is configured in security enabled configuration, under certain conditions it is possible to bypass the signature verification by using a specially crafted certificate leading to the execution of an unsigned image. plural NXP i.MX and Vybrid The product contains a certificate validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NXPi.MX50 and so on are different series of microprocessor products from NXPSemiconductors of the Netherlands. There are security vulnerabilities in several NXPi.MX products due to the program failing to properly validate the certificate. Failed exploit attempts will likely cause a denial-of-service condition. The following devices are affected: NXP i.MX 28, i.MX 50, i.MX 53, i.MX 7Solo i.MX 7Dual Vybrid VF3xx, Vybrid VF5xx, Vybrid VF6xx, i.MX 6ULL, i.MX 6UltraLite, i. MX 6SoloLite, i.MX 6Solo, i.MX 6DualLite, i.MX 6SoloX, i.MX 6Dual, i.MX 6Quad, i.MX 6DualPlus, i.MX 6QuadPlus

An Incorrect Default Permissions issue was discovered in Schneider Electric Wonderware InduSoft Web Studio v8.0 Patch 3 and prior versions. Upon installation, Wonderware InduSoft Web Studio creates a new directory and two files, which are placed in the system's path and can be manipulated by non-administrators. This could allow an authenticated user to escalate his or her privileges. Schneider Electric Wonderware InduSoft Web Studio is a human interface development tool from Schneider Electric, France. A privilege escalation vulnerability exists in Wonderware InduSoft Web Studio v8.0 Patch 3 and earlier. A local attacker may exploit this issue to gain elevated privileges