VARIoT IoT vulnerabilities database

In the IMM2 firmware of Lenovo System x servers, remote commands issued by LXCA or other utilities may be captured in the First Failure Data Capture (FFDC) service log if the service log is generated when that remote command is running. Captured command data may contain clear text login information. Authorized users that can capture and export FFDC service log data may have access to these remote commands. Lenovo System x Server IMM2 The firmware contains a command injection vulnerability.Information may be obtained. LenovoSystemxIMM2 is the firmware used by Lenovo servers to provide remote monitoring and control of the server. A security vulnerability exists in LenovoSystemxIMM2 that could allow an attacker to exploit a vulnerability to obtain a login certificate. Lenovo System x is a server of China Lenovo (Lenovo)

If multiple users are concurrently logged into a single system where one user is sending a command via the Lenovo ToolsCenter Advanced Settings Utility (ASU), UpdateXpress System Pack Installer (UXSPI) or Dynamic System Analysis (DSA) to a second machine, the other users may be able to see the user ID and clear text password that were used to access the second machine during the time the command is processing. Lenovo ToolsCenter Advanced Settings Utility (ASU) , UpdateXpress System Pack Installer (UXSPI) Or Dynamic System Analysis (DSA) Contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Security vulnerabilities exist in several Lenovo products. A local attacker can exploit this vulnerability to obtain user IDs and plaintext passwords

Hongfan Computer Technology Co., Ltd. is a high-tech enterprise controlled by CSSC Marine and Defense Equipment Co., Ltd. (CSIC Defense), and is an important part of the state-level technology center. The ioffice OA system involves hospital, government, military, and group industries. There is a SQL injection vulnerability in the mode parameter of the GetBoxyStatus.ashx file in the ioffice OA system, which is caused by the failure to effectively filter the parameters submitted by the user. An attacker could use the vulnerability to access or modify database data.

Dahua Alarm Management Platform is a comprehensive system solution with alarm reception and processing as its core. There is an arbitrary file upload vulnerability in the Dahua Alarm Operation Management Platform device /emap/gis/bitmap/modify.jsp page. Allows an attacker to upload a webshell and gain server permissions.

EnGenius is a Taiwanese wireless manufacturer brand. There is a remote command execution vulnerability in the wireless brain AP products of Shennen EnGenius corporate hotel. Allows an attacker to execute system commands remotely.

Dahua Alarm Management Platform is a comprehensive system solution with alarm reception and processing as its core. Dahua alarm operation management platform equipment bean.recId parameter of attachment_clearTempFile.action file, bean.recId parameter of attachment_getAttList.action file, multiple parameters of caseHistory_search.action file, multiple parameters of maintenance_search.action file, A SQL injection vulnerability exists in the searchBean.point parameter and the searchBean.carNumColor parameter in the picrecordWanted_search.action file. Allows attackers to exploit vulnerabilities to obtain database sensitive information.

igateway gateway is a gateway system produced by Guangzhou Yihang Internet Communication Co., Ltd. The s2-045 remote code execution vulnerability exists in the igateway gateway system, allowing remote attackers to use the vulnerability to execute commands and obtain server permissions.

Hikvision vehicle remote monitoring system is a set of vehicle video network monitoring platform software. Hikvision vehicle remote monitoring system AreaInfoHandle.php page SelectedEnableAdmin parameter has a SQL injection vulnerability. Attackers can use the vulnerability to obtain database sensitive information.

The Milwaukee ONE-KEY Android mobile application uses bearer tokens with an expiration of one year. This bearer token, in combination with a user_id can be used to perform user actions

The Milwaukee ONE-KEY Android mobile application stores the master token in plaintext in the apk binary. A remote attacker could use this vulnerability to forge GPS data

An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary data in the "msmtprc" configuration file resulting in command execution. An attacker can simply send an HTTP request to the device to trigger this vulnerability. The FoscamIndoorIPCameraC1Series is a C1 series wireless IP camera from Foscam, China. Foscam IP Video Camera is prone to multiple command-injection vulnerabilities. Exploiting these issues could allow an attacker to execute arbitrary commands in context of the affected device

An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during account creation resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability. FoscamC1IndoorHDCamera is a wireless HD IP camera from China Foscam. Foscam IP Video Camera is prone to multiple command-injection vulnerabilities. Exploiting these issues could allow an attacker to execute arbitrary commands in context of the affected device

An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during account creation resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability. FoscamC1IndoorHDCamera is a wireless HD IP camera from China Foscam. Foscam IP Video Camera is prone to multiple command-injection vulnerabilities. Exploiting these issues could allow an attacker to execute arbitrary commands in context of the affected device

An exploitable directory traversal vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can cause the application to read a file from disk but a failure to adequately filter characters results in allowing an attacker to specify a file outside of a directory. An attacker can simply send an HTTP request to the device to trigger this vulnerability. Foscam C1 Indoor HD The camera has a path traversal vulnerability.Information may be obtained. FoscamC1IndoorHDCamera is a wireless HD IP camera from China Foscam. Remote attackers may use a specially crafted request with directory-traversal sequences ('../') to retrieve sensitive information. This may aid in further attacks

In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary data in the "msmtprc" configuration file resulting in command execution. An attacker can simply send an HTTP request to the device to trigger this vulnerability. FoscamC1IndoorHDCamera is a wireless HD IP camera from China Foscam. There is a security vulnerability in FoscamC1IndoorHDCamera with version 2.52.2.37 application firmware. Foscam IP Video Camera is prone to multiple command-injection vulnerabilities. Exploiting these issues could allow an attacker to execute arbitrary commands in context of the affected device. ### Tested Versions ``` Foscam, Inc. Indoor IP Camera C1 Series System Firmware Version: 1.9.3.17 Application Firmware Version: 2.52.2.37 Web Version: 2.0.1.1 Plug-In Version: 3.3.0.5 ``` ### Product URLs Foscam ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ### CWE CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') ### Details Foscam produces a series of IP-capable surveillance devices, network video recorders, and baby monitors for the end-user. Foscam produces a range of cameras for both indoor and outdoor use..

An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during the SMTP configuration tests resulting in command execution. FoscamC1IndoorHDCamera is a wireless HD IP camera from China Foscam. Foscam IP Video Camera is prone to multiple command-injection vulnerabilities. Exploiting these issues could allow an attacker to execute arbitrary commands in context of the affected device

In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary shell characters during manual network configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability. FoscamC1IndoorHDCamera is a wireless HD IP camera from China Foscam. A security vulnerability exists in the web management interface in FoscamC1IndoorHDCamera using version 2.52.2.37 of the application firmware. Foscam IP Video Camera is prone to multiple command-injection vulnerabilities. Exploiting these issues could allow an attacker to execute arbitrary commands in context of the affected device

In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary shell characters during manual network configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability. FoscamC1IndoorHDCamera is a wireless HD IP camera from China Foscam. A security vulnerability exists in the web management interface in FoscamC1IndoorHDCamera using version 2.52.2.37 of the application firmware. Foscam IP Video Camera is prone to multiple command-injection vulnerabilities. Exploiting these issues could allow an attacker to execute arbitrary commands in context of the affected device

In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary shell characters during manual network configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability. FoscamC1IndoorHDCamera is a wireless HD IP camera from China Foscam. A security vulnerability exists in the web management interface in FoscamC1IndoorHDCamera using version 2.52.2.37 of the application firmware. Foscam IP Video Camera is prone to multiple command-injection vulnerabilities. Exploiting these issues could allow an attacker to execute arbitrary commands in context of the affected device

In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary shell characters during NTP server configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability. FoscamC1IndoorHDCamera is a wireless HD IP camera from China Foscam. A security vulnerability exists in the web management interface in FoscamC1IndoorHDCamera using version 2.52.2.37 of the application firmware. Foscam IP Video Camera is prone to multiple command-injection vulnerabilities. Exploiting these issues could allow an attacker to execute arbitrary commands in context of the affected device