VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-202410-0075 CVE-2024-41587 DrayTek Corporation  of  vigor3910  Cross-site scripting vulnerability in firmware CVSS V2: -
CVSS V3: 5.4
Severity: MEDIUM
Stored XSS, by authenticated users, is caused by poor sanitization of the Login Page Greeting message in DrayTek Vigor310 devices through 4.3.2.6. DrayTek Corporation of vigor3910 Firmware has a cross-site scripting vulnerability.Information may be obtained and information may be tampered with
VAR-202410-0195 CVE-2024-20524 Out-of-bounds write vulnerability in multiple Cisco Systems products CVSS V2: -
CVSS V3: 6.8
Severity: MEDIUM
A vulnerability in the web-based management interface of Cisco Small Business RV042, RV042G, RV320, and RV325 Routers could allow an authenticated, Administrator-level, remote attacker to cause an unexpected reload of an affected device, resulting in a denial of service (DoS) condition. To exploit this vulnerability, an attacker would need to have valid Administrator credentials on the affected device.   This vulnerability is due to improper validation of user input that is in incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface of the affected device. A successful exploit could allow the attacker to cause an unexpected reload of the device, resulting in a DoS condition. RV042 Dual WAN VPN firmware, RV042G Dual Gigabit WAN VPN firmware, Cisco RV320 Dual Gigabit WAN VPN Multiple Cisco Systems products, including router firmware, contain an out-of-bounds write vulnerability.Service operation interruption (DoS) It may be in a state
VAR-202410-0215 CVE-2024-20523 Out-of-bounds write vulnerability in multiple Cisco Systems products CVSS V2: -
CVSS V3: 6.8
Severity: MEDIUM
A vulnerability in the web-based management interface of Cisco Small Business RV042, RV042G, RV320, and RV325 Routers could allow an authenticated, Administrator-level, remote attacker to cause an unexpected reload of an affected device, resulting in a denial of service (DoS) condition. To exploit this vulnerability, an attacker would need to have valid Administrator credentials on the affected device.   This vulnerability is due to improper validation of user input that is in incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface of the affected device. A successful exploit could allow the attacker to cause an unexpected reload of the device, resulting in a DoS condition. RV042 Dual WAN VPN firmware, RV042G Dual Gigabit WAN VPN firmware, Cisco RV320 Dual Gigabit WAN VPN Multiple Cisco Systems products, including router firmware, contain an out-of-bounds write vulnerability.Service operation interruption (DoS) It may be in a state
VAR-202410-0203 CVE-2024-20522 Out-of-bounds write vulnerability in multiple Cisco Systems products CVSS V2: -
CVSS V3: 6.8
Severity: MEDIUM
A vulnerability in the web-based management interface of Cisco Small Business RV042, RV042G, RV320, and RV325 Routers could allow an authenticated, Administrator-level, remote attacker to cause an unexpected reload of an affected device, resulting in a denial of service (DoS) condition. To exploit this vulnerability, an attacker would need to have valid Administrator credentials on the affected device.   This vulnerability is due to improper validation of user input that is in incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface of the affected device. A successful exploit could allow the attacker to cause an unexpected reload of the device, resulting in a DoS condition. RV042 Dual WAN VPN firmware, RV042G Dual Gigabit WAN VPN firmware, Cisco RV320 Dual Gigabit WAN VPN Multiple Cisco Systems products, including router firmware, contain an out-of-bounds write vulnerability.Service operation interruption (DoS) It may be in a state
VAR-202410-0194 CVE-2024-20521 Out-of-bounds write vulnerability in multiple Cisco Systems products CVSS V2: -
CVSS V3: 9.1
Severity: CRITICAL
A vulnerability in the web-based management interface of Cisco Small Business RV042, RV042G, RV320, and RV325 Routers could allow an authenticated, Administrator-level, remote attacker to execute arbitrary code as the root user. To exploit this vulnerability, an attacker would need to have valid Administrator credentials on the affected device.   This vulnerability is due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system as the root user. RV042 Dual WAN VPN firmware, RV042G Dual Gigabit WAN VPN firmware, Cisco RV320 Dual Gigabit WAN VPN Multiple Cisco Systems products, including router firmware, contain an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202410-0164 CVE-2024-20520 Out-of-bounds write vulnerability in multiple Cisco Systems products CVSS V2: -
CVSS V3: 9.1
Severity: CRITICAL
A vulnerability in the web-based management interface of Cisco Small Business RV042, RV042G, RV320, and RV325 Routers could allow an authenticated, Administrator-level, remote attacker to execute arbitrary code as the root user. To exploit this vulnerability, an attacker would need to have valid Administrator credentials on the affected device.   This vulnerability is due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system as the root user. RV042 Dual WAN VPN firmware, RV042G Dual Gigabit WAN VPN firmware, Cisco RV320 Dual Gigabit WAN VPN Multiple Cisco Systems products, including router firmware, contain an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202410-0270 CVE-2024-20519 Out-of-bounds write vulnerability in multiple Cisco Systems products CVSS V2: 8.3
CVSS V3: 9.1
Severity: CRITICAL
A vulnerability in the web-based management interface of Cisco Small Business RV042, RV042G, RV320, and RV325 Routers could allow an authenticated, Administrator-level, remote attacker to execute arbitrary code as the root user. To exploit this vulnerability, an attacker would need to have valid Administrator credentials on the affected device.   This vulnerability is due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system as the root user. RV042 Dual WAN VPN firmware, RV042G Dual Gigabit WAN VPN firmware, Cisco RV320 Dual Gigabit WAN VPN Multiple Cisco Systems products, including router firmware, contain an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Cisco Small Business Routers is a router device of Cisco
VAR-202410-0311 CVE-2024-20518 Out-of-bounds write vulnerability in multiple Cisco Systems products CVSS V2: 8.3
CVSS V3: 9.1
Severity: CRITICAL
A vulnerability in the web-based management interface of Cisco Small Business RV042, RV042G, RV320, and RV325 Routers could allow an authenticated, Administrator-level, remote attacker to execute arbitrary code as the root user. To exploit this vulnerability, an attacker would need to have valid Administrator credentials on the affected device.   This vulnerability is due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system as the root user. RV042 Dual WAN VPN firmware, RV042G Dual Gigabit WAN VPN firmware, Cisco RV320 Dual Gigabit WAN VPN Multiple Cisco Systems products, including router firmware, contain an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Cisco Small Business Routers is a router device of Cisco
VAR-202410-0324 CVE-2024-20517 Out-of-bounds write vulnerability in multiple Cisco Systems products CVSS V2: -
CVSS V3: 6.8
Severity: MEDIUM
A vulnerability in the web-based management interface of Cisco Small Business RV042, RV042G, RV320, and RV325 Routers could allow an authenticated, Administrator-level, remote attacker to cause an unexpected reload of an affected device, resulting in a denial of service (DoS) condition. To exploit this vulnerability, an attacker would need to have valid Administrator credentials on the affected device.   This vulnerability is due to improper validation of user input that is in incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface of the affected device. A successful exploit could allow the attacker to cause an unexpected reload of the device, resulting in a DoS condition. RV042 Dual WAN VPN firmware, RV042G Dual Gigabit WAN VPN firmware, Cisco RV320 Dual Gigabit WAN VPN Multiple Cisco Systems products, including router firmware, contain an out-of-bounds write vulnerability.Service operation interruption (DoS) It may be in a state
VAR-202410-0205 CVE-2024-20516 Out-of-bounds write vulnerability in multiple Cisco Systems products CVSS V2: -
CVSS V3: 6.8
Severity: MEDIUM
A vulnerability in the web-based management interface of Cisco Small Business RV042, RV042G, RV320, and RV325 Routers could allow an authenticated, Administrator-level, remote attacker to cause an unexpected reload of an affected device, resulting in a denial of service (DoS) condition. To exploit this vulnerability, an attacker would need to have valid Administrator credentials on the affected device.   This vulnerability is due to improper validation of user input that is in incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface of the affected device. A successful exploit could allow the attacker to cause an unexpected reload of the device, resulting in a DoS condition. RV042 Dual WAN VPN firmware, RV042G Dual Gigabit WAN VPN firmware, Cisco RV320 Dual Gigabit WAN VPN Multiple Cisco Systems products, including router firmware, contain an out-of-bounds write vulnerability.Service operation interruption (DoS) It may be in a state
VAR-202410-0280 CVE-2024-20470 Vulnerabilities in multiple Cisco Systems products CVSS V2: -
CVSS V3: 7.2
Severity: HIGH
A vulnerability in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device. In order to exploit this vulnerability, the attacker must have valid admin credentials. This vulnerability exists because the web-based management interface does not sufficiently validate user-supplied input. An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. RV340 firmware, RV340W firmware, RV345 Unspecified vulnerabilities exist in multiple Cisco Systems products such as firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202410-0204 CVE-2024-20393 Vulnerabilities in multiple Cisco Systems products CVSS V2: -
CVSS V3: 8.8
Severity: HIGH
A vulnerability in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to elevate privileges on an affected device. This vulnerability exists because the web-based management interface discloses sensitive information. An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device. A successful exploit could allow an attacker to elevate privileges from guest to admin. RV340 firmware, RV340W firmware, RV345 Unspecified vulnerabilities exist in multiple Cisco Systems products such as firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202409-2441 CVE-2024-46313 TP-LINK Technologies  of  TL-WR941ND  Stack-based buffer overflow vulnerability in firmware CVSS V2: -
CVSS V3: 8.0
Severity: HIGH
TP-Link WR941ND V6 has a stack overflow vulnerability in the ssid parameter in /userRpm/popupSiteSurveyRpm.htm. TP-LINK Technologies of TL-WR941ND A stack-based buffer overflow vulnerability exists in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202409-2142 CVE-2024-6436 Rockwell Automation SequenceManager Input Validation Error Vulnerability CVSS V2: 7.8
CVSS V3: 6.5
Severity: MEDIUM
An input validation vulnerability exists in the Rockwell Automation Sequence Manager™ which could allow a malicious user to send malformed packets to the server and cause a denial-of-service condition. If exploited, the device would become unresponsive, and a manual restart will be required for recovery. Additionally, if exploited, there could be a loss of view for the downstream equipment sequences in the controller. Users would not be able to view the status or command the equipment sequences, however the equipment sequence would continue to execute uninterrupted. Rockwell Automation SequenceManager is a controller-based basic batch management system from Rockwell Automation, USA
VAR-202409-1471 CVE-2024-39275 Advantech Co., Ltd.  adam-5630  Firmware vulnerabilities CVSS V2: 8.3
CVSS V3: 8.8
Severity: HIGH
Cookies of authenticated Advantech ADAM-5630 users remain as active valid cookies when a session is closed. Forging requests with a legitimate cookie, even if the session was terminated, allows an unauthorized attacker to act with the same level of privileges of the legitimate user. Advantech Co., Ltd. adam-5630 There are unspecified vulnerabilities in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Advantech ADAM-5630 is an edge intelligent data acquisition controller from Advantech, a Chinese company. An attacker can exploit this vulnerability to impersonate the user
VAR-202409-1536 CVE-2024-38308 Advantech Co., Ltd.  adam 5550-firmware  Cross-site scripting vulnerability in CVSS V2: 8.3
CVSS V3: 6.1
Severity: MEDIUM
Advantech ADAM 5550's web application includes a "logs" page where all the HTTP requests received are displayed to the user. The device doesn't correctly neutralize malicious code when parsing HTTP requests to generate page output. Advantech Co., Ltd. adam 5550-firmware Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Advantech ADAM-5550 is a programmable automation controller from Advantech, a Chinese company. Attackers can exploit this vulnerability to execute arbitrary web scripts or HTML by injecting carefully crafted payloads
VAR-202409-1537 CVE-2024-37187 Advantech Co., Ltd.  adam-5550  Insufficient Credential Protection Vulnerability in Firmware CVSS V2: 6.1
CVSS V3: 5.7
Severity: MEDIUM
Advantech ADAM-5550 share user credentials with a low level of encryption, consisting of base 64 encoding. Advantech Co., Ltd. adam-5550 A firmware vulnerability related to insufficient protection of credentials exists.Information may be obtained. Advantech ADAM-5550 is a programmable automation controller from Advantech, a Chinese company. An attacker can exploit this vulnerability to obtain credential information and use this information to launch further attacks on the affected system
VAR-202409-1506 CVE-2024-9284 TP-LINK Technologies  of  TL-WR841ND  Stack-based buffer overflow vulnerability in firmware CVSS V2: 6.8
CVSS V3: 6.5
Severity: High
A vulnerability was found in TP-LINK TL-WR841ND up to 20240920. It has been rated as critical. Affected by this issue is some unknown functionality of the file /userRpm/popupSiteSurveyRpm.htm. The manipulation of the argument ssid leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. TP-LINK Technologies of TL-WR841ND A stack-based buffer overflow vulnerability exists in the firmware.Service operation interruption (DoS) It may be in a state
VAR-202409-1883 CVE-2024-46628 Tenda  of  g3  in the firmware  OS  Command injection vulnerability CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
Tenda G3 Router firmware v15.03.05.05 was discovered to contain a remote code execution (RCE) vulnerability via the usbPartitionName parameter in the formSetUSBPartitionUmount function. (DoS) It may be in a state. Tenda G3 is a Qos VPN router from China's Tenda company. Attackers can exploit this vulnerability to cause arbitrary code execution
VAR-202409-1826 CVE-2024-20475 Cisco Systems  Cisco Catalyst SD-WAN Manager  Cross-site scripting vulnerability in CVSS V2: -
CVSS V3: 5.4
Severity: MEDIUM
A vulnerability in the web-based management interface of Cisco Catalyst SD-WAN Manager, formerly Cisco SD-WAN vManage, could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious data into a specific data field in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface