VARIoT IoT vulnerabilities database

pelco Sarix Professional is a video camera. A command execution vulnerability exists in the pelco Sarix Pro network camera set_param program. The vulnerability is because the program does not perform security checks on the parameters submitted by the user, allowing the attack to execute arbitrary system commands as root using shell metacharacters, thereby completely controlling the camera.

pelco Sarix Professional is a video camera. A command execution vulnerability exists in the pelco Sarix Pro network camera export.cgi program. The vulnerability is due to the program's failure to perform security checks on data when executing system commands, allowing attackers to use shell metacharacters to execute arbitrary system commands as root, thereby completely controlling the camera.

pelco Sarix Professional is a video camera. There is an XML entity injection vulnerability in the pelco Sarix Pro webcam import.cgi, which allows attackers to use the vulnerability to obtain sensitive information.

pelco Sarix Professional is a video camera. A command execution vulnerability exists in the pelco Sarix Pro network camera set_param program. The vulnerability is because the program does not perform security checks on the parameters submitted by the user, allowing the attack to execute arbitrary system commands as root using shell metacharacters, thereby completely controlling the camera.

pelco Sarix Professional is a video camera. There is a login bypass vulnerability in the pelco Sarix Pro webcam WEB management interface. Allows an attacker to bypass password authentication and log in to the WEB management interface directly as an administrator.

pelco Sarix Professional is a video camera. A weak password vulnerability exists in the pelco Sarix Pro webcam WEB management interface. The attacker can obtain a hidden management account, use this account to perform any background operation, gain management authority, and completely control the camera.

pelco Sarix Enhanced is a webcam. A command execution vulnerability exists in the pelco Sarix Enhanced Dot1xSetupController.php file. The vulnerability is due to the program's failure to properly perform validity checks when processing user-submitted data, allowing attackers who have passed web authentication to use shell metacharacters to bypass restrictions and execute arbitrary commands as root.

pelco Sarix Professional is a video camera. A command execution vulnerability exists in the pelco Sarix Pro network camera set_param program. The vulnerability is because the program does not perform security checks on the parameters submitted by the user, allowing the attack to execute arbitrary system commands as root using shell metacharacters, thereby completely controlling the camera.

pelco Sarix Professional is a video camera. A code execution vulnerability exists in the pelco Sarix Pro webcam session.cgi program. The vulnerability is because the program does not check the length when processing user submitted data. A remote attacker could use the vulnerability to execute arbitrary code, resulting in a stack overflow.

pelco Sarix Professional is a video camera. There is an arbitrary file deletion vulnerability in the pelco Sarix Pro webcam set_param program. The vulnerability is because the program does not check the file name when processing parameters. An attacker can use the vulnerability to delete any file or directory, causing the camera to fail to work properly.

pelco Sarix Professional is a video camera. An information disclosure vulnerability exists in the pelco Sarix Pro network camera. Allows attackers to exploit vulnerabilities to obtain sensitive information.

pelco Sarix Professional is a video camera. A command execution vulnerability exists in the pelco Sarix Pro network camera set_param program. The vulnerability is due to the program's failure to perform security checks on the parameters submitted by the user, allowing attackers to use shell metacharacters to execute arbitrary system commands as root to completely control the camera.

SonicWall SonicOS on Network Security Appliance (NSA) 2017 Q4 devices has XSS via the CFS Custom Category and Cloud AV DB Exclusion Settings screens. SonicWall SonicOS Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Dell SonicWall SonicOS NSA is prone to multiple HTML-Injection vulnerabilities . Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. All versions of Dell SonicWall SonicOS are vulnerable. SonicWall SonicOS is a system that runs on it. A remote attacker could exploit this vulnerability to bypass throttling mechanisms or filter protections

SonicWall SonicOS on Network Security Appliance (NSA) 2016 Q4 devices has XSS via the Configure SSO screens. SonicWall SonicOS Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Dell SonicWall SonicOS NSA is prone to HTML-Injection vulnerability. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. SonicWall SonicOS is a system that runs on it. A remote attacker could exploit this vulnerability to inject malicious code

Hitron CVE-30360 devices use a 578A958E3DD933FC DES key that is shared across different customers' installations, which makes it easier for attackers to obtain sensitive information by decrypting a backup configuration file, as demonstrated by a password hash in the um_auth_account_password field. Hitron CVE-30360 The device contains cryptographic vulnerabilities.Information may be obtained. HitronCVE-30360devices is a router device from China Hitron. A security vulnerability exists in the HitronCVE-30360 device that originated from the shared 578A958E3DD933FCDES key used by the program

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of the 0x2721 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of a user-supplied value prior to using it as a memory address in a free operation. An attacker can leverage this functionality to execute code under the context of Administrator.

An Untrusted Pointer Dereference issue was discovered in Advantech WebAccess versions prior to 8.3. There are multiple vulnerabilities that may allow an attacker to cause the program to use an invalid memory address, resulting in a program crash. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of the 0x27f1 IOCTL in the webvrpcs process. An attacker can leverage this functionality to execute code under the context of Administrator. Advantech WebAccess is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. A denial of service vulnerability exists in versions prior to Advantech WebAccess 8.3

A Stack-based Buffer Overflow issue was discovered in Advantech WebAccess versions prior to 8.3. There are multiple instances of a vulnerability that allows too much data to be written to a location on the stack. Advantech WebAccess Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within the parsing of the command line in the BwNodeIP utility. An attacker can leverage this functionality to execute code under the context of Administrator. Advantech WebAccess is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within the picfile parameter in gmicons.asp. The issue results from the lack of proper validation of user-supplied data, which can allow for the upload of any file. An attacker can leverage this vulnerability to execute code in the context of the the web service.

IBM Security Access Manager Appliance 8.0.0 and 9.0.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 130676. Vendors have confirmed this vulnerability IBM X-Force ID: 130676 It is released as.Information may be obtained and information may be altered. An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible. The product enables access management control through integrated appliances for web, mobile and cloud computing