VARIoT IoT vulnerabilities database

The User Management Engine (UME) in SAP NetWeaver 7.4 allows attackers to decrypt unspecified data via unknown vectors, aka SAP Security Note 2191290. SAP Netweaver is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may lead to further attacks. SAP Netweaver 7.4 is vulnerable

Cross-site scripting (XSS) vulnerability in the login form in the integrated web server on Siemens OZW OZW672 devices before 6.00 and OZW772 devices before 6.00 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. Both Siemens OZW672 and OZW772 are building controller products from Siemens AG. A cross-site scripting vulnerability exists in the Siemens OZW672 and OZW772 devices. The vulnerability could be exploited by a remote attacker to change data and settings. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks

GSKit in IBM Security Network Protection 5.3.1 before 5.3.1.7 and 5.3.2 allows remote attackers to discover credentials by triggering an MD5 collision. Attackers can exploit this issue to obtain sensitive information that may lead to further attacks. The system can monitor application usage, website access and operation execution within the network to avoid threats such as malware and botnets. IBM GSKit (IBM Global Security Toolkit) is a set of security management tools for it

Cross-site scripting (XSS) vulnerability in the Management Center in Cisco FireSIGHT System Software 6.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted cookie, aka Bug ID CSCuw89094. Cisco FireSIGHTManagementCenter centrally manages the network security and operational features of CiscoASAwithFirePOWERServices and Cisco FirePOWER appliances. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug IDs CSCuw89094 and CSCuw89138. Management Center is one of the management center components

Cisco Adaptive Security Appliance (ASA) Software 8.4 allows remote attackers to obtain sensitive information via an AnyConnect authentication attempt, aka Bug ID CSCuo65775. Vendors have confirmed this vulnerability Bug ID CSCuo65775 It is released as.By a third party AnyConnect Important information can be obtained through authentication attempts. The CiscoASA5500 Series Adaptive Security Appliance is a modular platform for providing security and VPN services with firewall, IPS, anti-X and VPN services. An unauthenticated attacker could exploit this vulnerability to obtain sensitive information. This issue is being tracked by Cisco Bug ID CSCuo65775

Juniper Junos OS before 13.2X51-D36, 14.1X53 before 14.1X53-D25, and 15.2 before 15.2R1 on EX4300 series switches allow remote attackers to cause a denial of service (network loop and bandwidth consumption) via unspecified vectors related to Spanning Tree Protocol (STP) traffic. Juniper Junos is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to crash, denying service to legitimate users. Juniper Networks Junos OS on EX4300 is a network operating system developed by Juniper Networks (Juniper Networks) running on EX4300 series Ethernet switches. The operating system provides a secure programming interface and Junos SDK. A security vulnerability exists in Juniper Networks Junos OS on EX4300 series devices. The following releases are affected: Juniper Networks Junos OS prior to 13.2X51-D36, 14.1X53 prior to 14.1X53-D25, and 15.2 prior to 15.2R1

Unrestricted file upload vulnerability in the uploadImageCommon function in the UploadAjaxAction script in the WebAccess Dashboard Viewer in Advantech WebAccess before 8.1 allows remote attackers to write to files of arbitrary types via unspecified vectors. Advantech WebAccess Contains a vulnerability where an unlimited number of files can be uploaded and written to any type of file. http://cwe.mitre.org/data/definitions/434.htmlIt may be written to any type of file by a third party. Authentication is not required to exploit this vulnerability. The specific flaw exists within the WebAccess Dashboard Viewer. Insufficient validation within the FileUpload script allows unauthenticated callers to upload arbitrary code to directories in the server where the code can be automatically executed under the high-privilege context of the IIS AppPool. An attacker can leverage this vulnerability to execute arbitrary code under the context of SYSTEM. Advantech WebAccess HMI/SCADA software provides remote control and management. Advantech WebAccess is prone to following security vulnerabilities: 1. A denial-of-service vulnerability 2. An arbitrary file-upload vulnerability 3. A directory-traversal vulnerability 4. Multiple stack-based buffer-overflow vulnerabilities 5. A heap-based buffer overflow vulnerability 6. Multiple buffer-overflow vulnerabilities 7. Multiple information disclosure vulnerabilities 8. A cross-site scripting vulnerability 9. An SQL-injection vulnerability 10. A remote-code execution vulnerability An attacker can exploit these issues to execute arbitrary code in the context of the application, cause a denial-of-service condition, upload arbitrary files, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to use directory-traversal sequences ('../') to retrieve arbitrary files, obtain sensitive information and perform certain unauthorized actions. This may aid in further attacks. Advantech WebAccess 8.0 and prior versions are vulnerable. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech

Directory traversal vulnerability in Advantech WebAccess before 8.1 allows remote attackers to list arbitrary virtual-directory files via unspecified vectors. Authentication is not required to exploit this vulnerability. The specific flaw exists within the WebAccess Dashboard Viewer. Insufficient validation within the removeFile script allows unauthenticated callers to remove key system files, blocking WebAccess for all users. WebAccess HMI/SCADA software provides remote control and management, allowing users to easily view and configure automation equipment in facility management systems, power stations and building automation systems. Advantech WebAccess is prone to following security vulnerabilities: 1. A denial-of-service vulnerability 2. An arbitrary file-upload vulnerability 3. A directory-traversal vulnerability 4. Multiple stack-based buffer-overflow vulnerabilities 5. A heap-based buffer overflow vulnerability 6. Multiple buffer-overflow vulnerabilities 7. Multiple information disclosure vulnerabilities 8. A cross-site scripting vulnerability 9. An SQL-injection vulnerability 10. A remote-code execution vulnerability An attacker can exploit these issues to execute arbitrary code in the context of the application, cause a denial-of-service condition, upload arbitrary files, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to use directory-traversal sequences ('../') to retrieve arbitrary files, obtain sensitive information and perform certain unauthorized actions. This may aid in further attacks. Advantech WebAccess 8.0 and prior versions are vulnerable. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech

Integer overflow in the Kernel service in Advantech WebAccess before 8.1 allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted RPC request. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of the 0x791E IOCTL in the Kernel subsystem. An integer overflow for alloc size vulnerability exists. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system. WebAccess HMI/SCADA software provides remote control and management, allowing users to easily view and configure automation equipment in facility management systems, power stations and building automation systems. Advantech WebAccess is prone to following security vulnerabilities: 1. A denial-of-service vulnerability 2. An arbitrary file-upload vulnerability 3. A directory-traversal vulnerability 4. Multiple stack-based buffer-overflow vulnerabilities 5. Multiple buffer-overflow vulnerabilities 7. Multiple information disclosure vulnerabilities 8. A cross-site scripting vulnerability 9. An SQL-injection vulnerability 10. A cross-site request forgery vulnerability 11. This may aid in further attacks. Advantech WebAccess 8.0 and prior versions are vulnerable. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech

Multiple heap-based buffer overflows in Advantech WebAccess before 8.1 allow remote attackers to execute arbitrary code via unspecified vectors. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of the 0x11367 IOCTL in the BwpAlarm subsystem. WebAccess HMI/SCADA software provides remote control and management, allowing users to easily view and configure automation equipment in facility management systems, power stations and building automation systems. Advantech WebAccess is prone to following security vulnerabilities: 1. A denial-of-service vulnerability 2. An arbitrary file-upload vulnerability 3. A directory-traversal vulnerability 4. Multiple stack-based buffer-overflow vulnerabilities 5. Multiple buffer-overflow vulnerabilities 7. Multiple information disclosure vulnerabilities 8. A cross-site scripting vulnerability 9. An SQL-injection vulnerability 10. A cross-site request forgery vulnerability 11. This may aid in further attacks. Advantech WebAccess 8.0 and prior versions are vulnerable. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech

Advantech WebAccess before 8.1 allows remote attackers to cause a denial of service (out-of-bounds memory access) via unspecified vectors. Advantech WebAccess There is a service disruption ( Access outside the memory area ) There are vulnerabilities that are put into a state.Service disruption by a third party ( Access outside the memory area ) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of the 0x13881 IOCTL in the BwOpcTool subsystem. An uncontrolled format string vulnerability exists in a call to sprintf. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system. WebAccess HMI/SCADA software provides remote control and management, allowing users to easily view and configure automation equipment in facility management systems, power stations and building automation systems. Advantech WebAccess is prone to following security vulnerabilities: 1. A denial-of-service vulnerability 2. An arbitrary file-upload vulnerability 3. A directory-traversal vulnerability 4. Multiple stack-based buffer-overflow vulnerabilities 5. A heap-based buffer overflow vulnerability 6. Multiple buffer-overflow vulnerabilities 7. Multiple information disclosure vulnerabilities 8. A cross-site scripting vulnerability 9. An SQL-injection vulnerability 10. A cross-site request forgery vulnerability 11. This may aid in further attacks. Advantech WebAccess 8.0 and prior versions are vulnerable. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech

Race condition in Advantech WebAccess before 8.1 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via a crafted request. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of the 0x7920 IOCTL in the Kernel subsystem. A shared virtual memory overflow vulnerability exists in a call to strcpy. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system. WebAccess HMI/SCADA software provides remote control and management, allowing users to easily view and configure automation equipment in facility management systems, power stations and building automation systems. Advantech WebAccess is prone to following security vulnerabilities: 1. A denial-of-service vulnerability 2. An arbitrary file-upload vulnerability 3. A directory-traversal vulnerability 4. Multiple stack-based buffer-overflow vulnerabilities 5. Multiple buffer-overflow vulnerabilities 7. Multiple information disclosure vulnerabilities 8. A cross-site scripting vulnerability 9. An SQL-injection vulnerability 10. A cross-site request forgery vulnerability 11. This may aid in further attacks. Advantech WebAccess 8.0 and prior versions are vulnerable. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech

Buffer overflow in the BwpAlarm subsystem in Advantech WebAccess before 8.1 allows remote attackers to cause a denial of service via a crafted RPC request. This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.The specific flaw exists within the implementation of the 0x11173 IOCTL in the BwpAlarm subsystem. A globals overflow vulnerability exists in a call to strcpy using the ProjectName parameter. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system. WebAccess HMI/SCADA software provides remote control and management. Advantech WebAccess is prone to following security vulnerabilities: 1. A denial-of-service vulnerability 2. An arbitrary file-upload vulnerability 3. A directory-traversal vulnerability 4. Multiple stack-based buffer-overflow vulnerabilities 5. Multiple buffer-overflow vulnerabilities 7. Multiple information disclosure vulnerabilities 8. A cross-site scripting vulnerability 9. An SQL-injection vulnerability 10. A cross-site request forgery vulnerability 11. This may aid in further attacks. Advantech WebAccess 8.0 and prior versions are vulnerable. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech

Memory leak in the last hop kernel module in F5 BIG-IP LTM, GTM, and Link Controller 10.1.x, 10.2.x before 10.2.4 HF13, 11.x before 11.2.1 HF15, 11.3.x, 11.4.x, 11.5.x before 11.5.3 HF2, and 11.6.x before HF6, BIG-IP AAM 11.4.x, 11.5.x before 11.5.3 HF2 and 11.6.0 before HF6, BIG-IP AFM and PEM 11.3.x, 11.4.x, 11.5.x before 11.5.3 HF2, and 11.6.0 before HF6, BIG-IP Analytics 11.x before 11.2.1 HF15, 11.3.x, 11.4.x, 11.5.x before 11.5.3 HF2, and 11.6.0 before HF6, BIG-IP APM and ASM 10.1.0 through 10.2.4, 11.x before 11.2.1 HF15, 11.3.x, 11.4.x, 11.5.x before 11.5.3 HF2, and 11.6.0 before HF6, BIG-IP Edge Gateway, WebAccelerator, and WOM 10.1.x, 10.2.x before 10.2.4 HF13, 11.x before 11.2.1 HF15, and 11.3.0, BIG-IP PSM 10.1.x, 10.2.x before 10.2.4 HF13, 11.x before 11.2.1 HF15, 11.3.x, and 11.4.x before 11.4.1 HF, Enterprise Manager 3.0.0 through 3.1.1, BIG-IQ Cloud and Security 4.0.0 through 4.5.0, BIG-IQ Device 4.2.0 through 4.5.0, and BIG-IQ ADC 4.5.0 might allow remote attackers to cause a denial of service (memory consumption) via a large number of crafted UDP packets. plural F5 The last hop kernel module of the product interferes with service operation due to memory leak ( Memory consumption ) There are vulnerabilities that are put into a state.A great deal of crafting by a third party UDP Service disruption via packets ( Memory consumption ) There is a possibility of being put into a state. Multiple F5 BIG-IP products are prone to a denial-of-service vulnerability. Successful exploitation of the issue will cause excessive memory resource consumption, resulting in a denial-of-service condition. F5 BIG-IP LTM, etc. are all products of F5 Company in the United States. LTM is a local traffic manager; APM is a solution that provides secure unified access to business-critical applications and networks. A remote attacker could exploit this vulnerability by sending a large number of specially crafted UDP packets to cause a denial of service (memory consumption). The following products and versions are affected: F5 BIG-IP LTM, APM, ASM, Link Controller 11.0.0 to 11.6.0, 10.1.0 to 10.2.4, BIG-IP AAM 11.4.0 to 11.6. 0, BIG-IP AFM, PEM 11.3.0 to 11.6.0, BIG-IP Analytics 11.0.0 to 11.6.0, BIG-IP Edge Gateway 11.0.0 to 11.3.0, 10.1. 0 to 10.2.4, BIG-IP PSM 11.0.0 to 11.4.1, 10.1.0 to 10.2.4, Enterprise Manager 3.0.0 to 3.1.1, BIG-IQ Cloud, Security Version 4.0.0 to version 4.5.0, BIG-IQ Device version 4.2.0 to version 4.5.0, BIG-IQ ADC version 4.5.0

Cross-site request forgery (CSRF) vulnerability in Advantech WebAccess before 8.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. Advantech WebAccess Contains a cross-site request forgery vulnerability.Authentication may be hijacked by a third party. WebAccess HMI/SCADA software provides remote control and management, allowing users to easily view and configure automation equipment in facility management systems, power stations and building automation systems. Advantech WebAccess is prone to following security vulnerabilities: 1. A denial-of-service vulnerability 2. An arbitrary file-upload vulnerability 3. A directory-traversal vulnerability 4. Multiple stack-based buffer-overflow vulnerabilities 5. A heap-based buffer overflow vulnerability 6. Multiple buffer-overflow vulnerabilities 7. Multiple information disclosure vulnerabilities 8. A cross-site scripting vulnerability 9. An SQL-injection vulnerability 10. A remote-code execution vulnerability An attacker can exploit these issues to execute arbitrary code in the context of the application, cause a denial-of-service condition, upload arbitrary files, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to use directory-traversal sequences ('../') to retrieve arbitrary files, obtain sensitive information and perform certain unauthorized actions. This may aid in further attacks. Advantech WebAccess 8.0 and prior versions are vulnerable. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech. A remote attacker could exploit this vulnerability to perform unauthorized operations

Advantech WebAccess before 8.1 allows remote attackers to read sensitive cleartext information about e-mail project accounts via unspecified vectors. WebAccess HMI/SCADA software provides remote control and management, allowing users to easily view and configure automation equipment in facility management systems, power stations and building automation systems. Advantech WebAccess is prone to following security vulnerabilities: 1. A denial-of-service vulnerability 2. An arbitrary file-upload vulnerability 3. A directory-traversal vulnerability 4. Multiple stack-based buffer-overflow vulnerabilities 5. A heap-based buffer overflow vulnerability 6. Multiple buffer-overflow vulnerabilities 7. Multiple information disclosure vulnerabilities 8. A cross-site scripting vulnerability 9. An SQL-injection vulnerability 10. A cross-site request forgery vulnerability 11. A remote-code execution vulnerability An attacker can exploit these issues to execute arbitrary code in the context of the application, cause a denial-of-service condition, upload arbitrary files, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to use directory-traversal sequences ('../') to retrieve arbitrary files, obtain sensitive information and perform certain unauthorized actions. This may aid in further attacks. Advantech WebAccess 8.0 and prior versions are vulnerable. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech

SQL injection vulnerability in Advantech WebAccess before 8.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. WebAccess HMI/SCADA software provides remote control and management, allowing users to easily view and configure automation equipment in facility management systems, power stations and building automation systems. Advantech WebAccess is prone to following security vulnerabilities: 1. A denial-of-service vulnerability 2. An arbitrary file-upload vulnerability 3. A directory-traversal vulnerability 4. Multiple stack-based buffer-overflow vulnerabilities 5. A heap-based buffer overflow vulnerability 6. Multiple buffer-overflow vulnerabilities 7. Multiple information disclosure vulnerabilities 8. A cross-site scripting vulnerability 9. An SQL-injection vulnerability 10. A cross-site request forgery vulnerability 11. A remote-code execution vulnerability An attacker can exploit these issues to execute arbitrary code in the context of the application, cause a denial-of-service condition, upload arbitrary files, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to use directory-traversal sequences ('../') to retrieve arbitrary files, obtain sensitive information and perform certain unauthorized actions. This may aid in further attacks. Advantech WebAccess 8.0 and prior versions are vulnerable. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech

Advantech WebAccess before 8.1 allows remote attackers to execute arbitrary code via vectors involving a browser plugin. WebAccess HMI/SCADA software provides remote control and management, allowing users to easily view and configure automation equipment in facility management systems, power stations and building automation systems. Advantech WebAccess is prone to following security vulnerabilities: 1. A denial-of-service vulnerability 2. An arbitrary file-upload vulnerability 3. A directory-traversal vulnerability 4. Multiple stack-based buffer-overflow vulnerabilities 5. A heap-based buffer overflow vulnerability 6. Multiple buffer-overflow vulnerabilities 7. Multiple information disclosure vulnerabilities 8. A cross-site scripting vulnerability 9. An SQL-injection vulnerability 10. A cross-site request forgery vulnerability 11. A remote-code execution vulnerability An attacker can exploit these issues to execute arbitrary code in the context of the application, cause a denial-of-service condition, upload arbitrary files, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to use directory-traversal sequences ('../') to retrieve arbitrary files, obtain sensitive information and perform certain unauthorized actions. This may aid in further attacks. Advantech WebAccess 8.0 and prior versions are vulnerable. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech

Advantech WebAccess before 8.1 allows remote attackers to obtain sensitive information via crafted input. WebAccess HMI/SCADA software provides remote control and management, allowing users to easily view and configure automation equipment in facility management systems, power stations and building automation systems. Advantech WebAccess is prone to following security vulnerabilities: 1. A denial-of-service vulnerability 2. An arbitrary file-upload vulnerability 3. A directory-traversal vulnerability 4. Multiple stack-based buffer-overflow vulnerabilities 5. A heap-based buffer overflow vulnerability 6. Multiple buffer-overflow vulnerabilities 7. Multiple information disclosure vulnerabilities 8. A cross-site scripting vulnerability 9. An SQL-injection vulnerability 10. A cross-site request forgery vulnerability 11. A remote-code execution vulnerability An attacker can exploit these issues to execute arbitrary code in the context of the application, cause a denial-of-service condition, upload arbitrary files, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to use directory-traversal sequences ('../') to retrieve arbitrary files, obtain sensitive information and perform certain unauthorized actions. This may aid in further attacks. Advantech WebAccess 8.0 and prior versions are vulnerable. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech

Advantech WebAccess before 8.1 allows remote attackers to bypass an intended administrative requirement and obtain file or folder access via unspecified vectors. WebAccess HMI/SCADA software provides remote control and management, allowing users to easily view and configure automation equipment in facility management systems, power stations and building automation systems. Advantech WebAccess is prone to following security vulnerabilities: 1. A denial-of-service vulnerability 2. An arbitrary file-upload vulnerability 3. A directory-traversal vulnerability 4. Multiple stack-based buffer-overflow vulnerabilities 5. A heap-based buffer overflow vulnerability 6. Multiple buffer-overflow vulnerabilities 7. Multiple information disclosure vulnerabilities 8. A cross-site scripting vulnerability 9. An SQL-injection vulnerability 10. A cross-site request forgery vulnerability 11. A remote-code execution vulnerability An attacker can exploit these issues to execute arbitrary code in the context of the application, cause a denial-of-service condition, upload arbitrary files, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to use directory-traversal sequences ('../') to retrieve arbitrary files, obtain sensitive information and perform certain unauthorized actions. This may aid in further attacks. Advantech WebAccess 8.0 and prior versions are vulnerable. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech