VARIoT IoT vulnerabilities database

The HP Officejet Pro X451dw is a desktop printer from Hewlett-Packard. The HP Officejet Pro X451dw Printer has an unauthorized access vulnerability. An attacker could use the vulnerability to gain unauthorized access to the configuration page and obtain sensitive information.

The management interface for the Teltonika RUT9XX routers (aka LuCI) with firmware 00.03.265 and earlier allows remote attackers to execute arbitrary commands with root privileges via shell metacharacters in the username parameter in a login request. TeltonikaRUT9XXrouters (also known as LuCI) is a router product from Teltonika, Lithuania. A security vulnerability exists in the management interface in the TeltonikaRUT9XX router using firmware 0.03.265 and earlier. Teltonika Routers are prone to a remote command-execution vulnerability because it fails to properly sanitize user-supplied input. This may aid in further attacks

On TP-Link NC250 devices with firmware through 1.2.1 build 170515, anyone can view video and audio without authentication via an rtsp://admin@yourip:554/h264_hd.sdp URL. TP-LinkNC250 is a network camera product of China TP-LINK. TP-LINKNC250 has a certification bypass vulnerability. TP-Link NC250 with 1.2.1 build 170515 and earlier firmware has a security vulnerability

Multiple security flaws exists in InvProtectDrv.sys which is a part of Invincea Dell Protected Workspace 5.1.1-22303. Weak restrictions on the driver communication channel and additional insufficient checks allow any application to turn off some of the protection mechanisms provided by the Invincea product. Invincea Dell Protected Workspace Contains a permission vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Dell is a company based in Round Rock, Texas, USA. There are protection bypass bugs in several Dell products. An attacker could exploit the vulnerability to bypass the authentication mechanism and gain unauthorized access. A privilege escalation vulnerability. 2

An exploitable double fetch vulnerability exists in the SboxDrv.sys driver functionality of Invincea-X 6.1.3-24058. A specially crafted input buffer and race condition can result in kernel memory corruption, which could result in privilege escalation. An attacker needs to execute a special application locally to trigger this vulnerability. Invincea-X Contains a race condition vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Dell is a company based in Round Rock, Texas, USA. A number of Dell product privilege escalation vulnerabilities. Allows an attacker to exploit the vulnerability to escalate privileges. 2. Multiple security bypass vulnerabilities An attacker may leverage these issues to execute arbitrary code in the context of the vulnerable application to elevate privilege and bypass the authentication mechanism and gain unauthorized access

An exploitable dll hijacking vulnerability exists in the poaService.exe service component of the Dell Precision Optimizer software version 3.5.5.0. A specifically named malicious dll file located in one of directories pointed to by the PATH environment variable will lead to privilege escalation. An attacker with local access to vulnerable system can exploit this vulnerability. Dell Precision Optimizer The software contains an unreliable search path vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Dell is a company based in Round Rock, Texas, USA. A number of Dell products have security bypass vulnerabilities. A privilege escalation vulnerability. 2. The tool supports automatic adjustment of system settings such as Intel Hyper-Threading, number of CPU cores, processor priority, graphics card, and power supply

Cross-Site Request Forgery (CSRF) exists on Linksys EA4500 devices with Firmware Version before 2.1.41.164606, as demonstrated by a request to apply.cgi to disable SIP. CiscoLinksysEA4500devices is a router device from Cisco. A remote attacker could exploit this vulnerability to perform unauthorized operations

TerraMaster is a high-end professional storage development and sales company headquartered in New York, USA, has more than 16 years of history, is a famous professional storage brand in the United States. A security vulnerability exists in TerraMasterNASTOS version 3.0.30 and below. Allows an attacker to exploit a vulnerability without any command to log in to authorize execution.

DSS (Digital Surveillance System) is a highly integrated and powerful digital monitoring management system developed by Zhejiang Dahua Technology Co., Ltd. Zhejiang Dahua's new DSS 3.0 security platform uses Apache Struts 2 as the website application framework. Because the software has a remote code execution high-risk vulnerability, attackers can use the vulnerability to gain remote control of the web server host.

RG-WALL 160S is a 100M firewall product launched by Ruijie Networks. The Ruijie RG-WALL-160S firewall has an SNMP protocol community string authentication permission bypass vulnerability. Allows an attacker to use arbitrary strings or integer values to bypass SNMP access control and write arbitrary strings in the MIB (Management Information Base) to obtain sensitive information of the device

A cross-site scripting vulnerability was found in uCosminexus Portal Framework, Groupmax Collaboration, Hitachi Navigation Platform and JP1/Navigation Platform. Remote users can exploit this vulnerability to execute malicious scripts.

A cross-site scripting and an XML external entity (XXE) vulnerability have been found in Hitachi IT Operations Director, JP1/IT Desktop Management - Manager and JP1/IT Desktop Management 2 - Manager.An attacker may conduct a cross-site scripting attack and a XML external entity (XXE) attack.

The lockscreen on Elephone P9000 devices (running Android 6.0) allows physically proximate attackers to bypass a wrong-PIN lockout feature by pressing backspace after each PIN guess. Android is a Linux-based open source operating system jointly developed by Google and the Open Handheld Device Alliance (OHA). ElephoneP9000 is a smartphone running the Android operating system from Elephone China. Lockscreen is one of the screen lock components. There is a security hole in the lockscreen in the Android 6.0 version of the ElephoneP9000. An attacker with a physical location nearby can use the vulnerability to bypass the error PIN code blocking feature by entering the PIN code and holding the backspace key

On D-Link DIR-600M devices before C1_v3.05ENB01_beta_20170306, XSS was found in the form2userconfig.cgi username parameter. D-Link DIR-600M Device form2userconfig.cgi Contains a cross-site scripting vulnerability.username A cross-site scripting attack may be performed via parameters. D-LinkDIR-600M is a wireless router product of D-Link. A remote attacker can exploit this vulnerability to brute force passwords

Multiple cross-site scripting (XSS) vulnerabilities in Synology Video Station 1.2 before 1.2-0455, 1.5 before 1.5-0772, and 1.6 before 1.6-0847 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) file name or (2) collection name of videos. Synology Video Station is a video manager from Synology

Cross-site scripting (XSS) vulnerabilities in Synology Audio Station 5.1 before 5.1-2550 and 5.4 before 5.4-2857 allows remote authenticated attackers to inject arbitrary web script or HTML via the album title. Synology Audio Station is an audio manager from Synology. A cross-site scripting vulnerability exists in Synology Audio Station 5.1 prior to 5.1-2550 and 5.4 prior to 5.4-2857

Multiple cross-site scripting (XSS) vulnerabilities in Synology Note Station 1.1-0212 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) note title or (2) file name of attachments. Synology Note Station is a cloud-based note management platform from Synology

Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name, (2) file name of uploaded photos, (3) description of photos, or (4) tag of the photos. Synology Photo Station is a set of solutions for sharing pictures, videos and blogs on the Internet from Synology, a Taiwan-based company

In Green Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb, the "PING" (aka tag_ipPing) feature within the web interface allows performing command injection, via the "pip" parameter. The GreenPacketDX-350 is a network access point device from GreenPacket, USA. There is a security hole in the PING function of the web interface in the GreenPacketDX-350. An attacker can use this vulnerability to inject commands with the help of the \342\200\230pip\342\200\231 parameter

On Lenovo VIBE mobile phones, the Idea Friend Android application allows private data to be backed up and restored via Android Debug Bridge, which allows tampering leading to privilege escalation in conjunction with CVE-2017-3748 and CVE-2017-3750. Lenovo VIBE cell phone's Idea Friend Android Applications have vulnerabilities related to authorization, permissions, and access control.CVE-2017-3748 and CVE-2017-3750 Information is obtained, information is tampered with, and service operation is disrupted by exploiting it together with vulnerabilities (DoS) There is a possibility of being put into a state. Android6.0Marshmallow is a Linux-based open source operating system jointly developed by Google and the Open Handheld Device Alliance (OHA). LenovoA2010-a, etc. are all Lenovo's smartphone products using the Android6.0 Marshmallow operating system. A privilege escalation vulnerability exists in several LenovoVIBE phones using versions prior to Android6.0 Marshmallow, which stems from the IdeaFriendAndroid app allowing backup and storage of private data via AndroidDebugBridge. An attacker could exploit the vulnerability to gain elevated privileges