VARIoT IoT vulnerabilities database

SQL injection vulnerability exists in GetDIAE_astListParameters. Delta Electronics DIAEnergie is an industrial energy management system from Delta Electronics, a Taiwanese company, used to monitor and analyze energy consumption in real time, calculate energy consumption and load characteristics, optimize equipment performance, improve production processes, and maximize energy efficiency. Delta Electronics DIAEnergie versions prior to v1.10.00.005 have a SQL injection vulnerability that allows attackers to view, add, modify, or delete information in the backend database

Path traversal attack is possible and write outside of the intended directory and may access sensitive information. If a file name is specified that already exists on the file system, then the original file will be overwritten. Delta Electronics DIAEnergie is an industrial energy management system from Delta Electronics, a Taiwanese company, used to monitor and analyze energy consumption in real time, calculate energy consumption and load characteristics, optimize equipment performance, improve production processes, and maximize energy efficiency

SQL injection vulnerability exists in GetDIAE_slogListParameters. Delta Electronics DIAEnergie is an industrial energy management system from Delta Electronics, a Taiwanese company, used to monitor and analyze energy consumption in real time, calculate energy consumption and load characteristics, optimize equipment performance, improve production processes, and maximize energy efficiency. Delta Electronics DIAEnergie versions prior to v1.10.00.005 have a SQL injection vulnerability that allows attackers to view, add, modify, or delete information in the backend database

SQL injection vulnerability exists in GetDIAE_unListParameters. Delta Electronics DIAEnergie is an industrial energy management system from Delta Electronics, a Taiwanese company, used to monitor and analyze energy consumption in real time, calculate energy consumption and load characteristics, optimize equipment performance, improve production processes, and maximize energy efficiency. Delta Electronics DIAEnergie versions prior to v1.10.00.005 have a SQL injection vulnerability that allows attackers to view, add, modify, or delete information in the backend database

Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality. Delta Electronics, INC. of DIAEnergie Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Delta Electronics DIAEnergie is an industrial energy management system from Taiwan's Delta Electronics, used to monitor and analyze energy consumption in real time, calculate energy consumption and load characteristics, optimize equipment performance, improve production processes, and maximize energy efficiency

SQL injection vulnerability exists in the script DIAE_tagHandler.ashx. Delta Electronics, INC. of DIAEnergie for, SQL There is an injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Delta Electronics DIAEnergie DIAE_tagHandler.ashx script has a SQL injection vulnerability, which can be exploited by attackers to view, add, modify or delete information in the backend database

A vulnerability, which was classified as critical, was found in Tenda AC10U 15.03.06.48. This affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg. The manipulation of the argument endIP leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257601 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Shenzhen Tenda Technology Co.,Ltd. of ac10u An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The vulnerability is caused by the parameter endIP of the function formSetPPTPServer in the file /goform/SetPptpServerCfg failing to correctly verify the length of the input data. Attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service

A vulnerability, which was classified as critical, has been found in Tenda AC10U 15.03.06.48. Affected by this issue is the function formSetCfm of the file goform/setcfm. The manipulation of the argument funcpara1 leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257600. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Shenzhen Tenda Technology Co.,Ltd. of ac10u An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The vulnerability is caused by the parameter funcpara1 of the function formSetCfm in the file goform/setcfm failing to correctly verify the length of the input data. A remote attacker can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service attack

An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. A buffer overflow and application crash can occur via a crafted KTX image file. The Qt Company of Qt Exists in a classic buffer overflow vulnerability.Service operation interruption (DoS) It may be in a state. Tenda AC18 is a router made by the Chinese company Tenda. There is a buffer overflow vulnerability in Tenda AC18 V15.03.05.05. The vulnerability is caused by the cmdinput parameter of the formexeCommand function in the /goform/execCommand file failing to correctly verify the length of the input data. A remote attacker can exploit this vulnerability to execute on the system. Arbitrary code or lead to denial of service attacks. Description<!---->A flaw was found in Qt Base. This flaw allows an malicious user to use a specially crafted KTX image file to trigger a buffer overflow in the application reading it, leading to a denial of service.A flaw was found in Qt Base

A vulnerability was found in Tenda AC10U 15.03.06.48. It has been rated as critical. Affected by this issue is the function addWifiMacFilter of the file /goform/addWifiMacFilter. The manipulation of the argument deviceMac leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-257462 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. of ac10u An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Tenda AC10U is a dual-band Gigabit router that implements the 802.11ac Wave 2.0 standard and supports MU-MIMO technology, offering high wall penetration and stable transmission. This vulnerability stems from the failure of the deviceMac parameter in the addWifiMacFilter function in the /goform/addWifiMacFilter file to properly validate the length of input data. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service

A vulnerability was found in Tenda AC10U 15.03.06.49. It has been declared as critical. Affected by this vulnerability is the function setSchedWifi of the file /goform/openSchedWifi. The manipulation of the argument schedStartTime leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257461 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. of ac10u An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service

A vulnerability was found in Tenda AC10U 15.03.06.49. It has been classified as critical. Affected is the function fromSetRouteStatic of the file /goform/SetStaticRouteCfg. The manipulation of the argument list leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257460. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. of ac10u An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The vulnerability is caused by the list parameter of the fromSetRouteStatic function of the /goform/SetStaticRouteCfg file failing to correctly verify the length of the input data. Attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service

A vulnerability was found in Tenda AC10U 15.03.06.49 and classified as critical. This issue affects the function formexeCommand of the file /goform/execCommand. The manipulation of the argument cmdinput leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257459. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Shenzhen Tenda Technology Co.,Ltd. of ac10u An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Tenda AC10U is a dual-band Gigabit router that implements the 802.11ac Wave 2.0 standard and supports MU-MIMO technology, offering high wall penetration and stable transmission. This vulnerability occurs because the cmdinput parameter of the formexeCommand function in the /goform/execCommand file fails to properly validate the length of input data. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service

A vulnerability has been found in Tenda AC10U 15.03.06.49 and classified as critical. This vulnerability affects the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-257458 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Shenzhen Tenda Technology Co.,Ltd. of ac10u The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The vulnerability is caused by the mac parameter of the formWriteFacMac function of the /goform/WriteFacMac file failing to properly filter special characters and commands in the constructed command. Attackers can exploit this vulnerability to cause arbitrary command execution

There is a Cross-site scripting (XSS) vulnerability in the Wireless settings under the Easy Setup Page of TOTOLINK X2000R before v1.0.0-B20231213.1013. TOTOLINK of x2000r Firmware has a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. TOTOLINK X2000R is a WiFi 6 router launched by China Jiong Electronics. It supports Gigabit network and Easy Mesh functions, and has multi-device connection and wireless expansion capabilities. The vulnerability is caused by the lack of effective filtering and escaping of user-provided data by the application. Attackers can exploit this vulnerability to execute arbitrary web scripts or HTML by injecting carefully designed payloads

There is stack-based buffer overflow vulnerability in pc_change_act function in Linksys E1000 router firmware version v.2.1.03 and before, leading to remote code execution. (DoS) It may be in a state. Linksys E1000 is a router from Linksys, an American company. The vulnerability is caused by the failure to check the buffer input size. Remote attackers can exploit this vulnerability to cause denial of service or code execution

Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the firewallEn parameter of formSetFirewallCfg function. Shenzhen Tenda Technology Co.,Ltd. of AC18 A stack-based buffer overflow vulnerability exists in the firmware.Service operation interruption (DoS) It may be in a state

Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the page parameter of fromNatStaticSetting function. Shenzhen Tenda Technology Co.,Ltd. of AC18 An out-of-bounds read vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the filePath parameter of formExpandDlnaFile function. Shenzhen Tenda Technology Co.,Ltd. of AC18 A stack-based buffer overflow vulnerability exists in the firmware.Information may be tampered with

A vulnerability was found in Tenda AC10 16.03.10.13 and classified as critical. This issue affects the function fromSetRouteStatic of the file /goform/SetStaticRouteCfg. The manipulation of the argument list leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257081 was assigned to this vulnerability. Shenzhen Tenda Technology Co.,Ltd. of AC10 An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The vulnerability is caused by the parameter list of the fromSetRouteStatic function in the file /goform/SetStaticRouteCfg failing to correctly verify the length of the input data. Attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service