VARIoT IoT vulnerabilities database

Cisco FirePOWER (formerly Sourcefire) 7000 and 8000 devices with software 5.4.0.1 allow remote attackers to cause a denial of service (inspection-engine outage) via crafted packets, aka Bug ID CSCuu10871. Cisco FirePOWER ( Old Sourcefire) 7000 and 8000 Device software has a service disruption ( Stop inspection engine ) There are vulnerabilities that are put into a state. Vendors have confirmed this vulnerability Bug ID CSCuu10871 It is released as.Denial of service operation via a packet crafted by a third party ( Stop inspection engine ) There is a possibility of being put into a state. Cisco FireSIGHT System Software is prone to denial-of-service vulnerability. An attacker may exploit this issue to cause a denial-of-service condition. This issue is being tracked by Cisco Bug ID CSCuu10871. Cisco FirePOWER (formerly known as Sourcefire) 7000 and 8000 are Cisco's 7000 and 8000 series firewall devices

The Secure Meeting (Pulse Collaboration) in Pulse Connect Secure (formerly Juniper Junos Pulse) before 7.1R22.1, 7.4, 8.0 before 8.0R11, and 8.1 before 8.1R3 allows remote authenticated users to bypass intended access restrictions and log into arbitrary meetings by leveraging a meeting id and meetingAppSun.jar. Pulse Connect Secure is prone to an authorization-bypass vulnerability. Attackers can exploit this issue to gain unauthorized access and obtain sensitive information. This may aid in further attacks. Pulse Connect Secure (also known as PCS, formerly known as Juniper Junos Pulse) is a set of SSL VPN solutions of American Pulse Secure company

Multiple cross-site scripting (XSS) vulnerabilities in the Graphical User Interface (GUI) in Fortinet FortiManager before 5.2.4 allow remote attackers to inject arbitrary web script or HTML via the (1) SOMVpnSSLPortalDialog or (2) FGDMngUpdHistory. Fortinet FortiManager is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. FortiManager 5.2.2 and prior versions are vulnerable. [+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-FORTIMANAGER-XSS-0924.txt Vendor: ================================ www.fortinet.com Product: ================================ FortiManager v5.2.2 FortiManager is a centralized security management appliance that allows you to centrally manage any number of Fortinet Network Security devices. 2 potential XSS vectors were identified: * XSS vulnerability in SOMVpnSSLPortalDialog. * XSS vulnerability in FGDMngUpdHistory. 2 potential XSS vectors were identified: * XSS vulnerability in sharedjobmanager. * XSS vulnerability in SOMServiceObjDialog. Affected Products XSS items 1-2: FortiManager v5.2.2 or earlier. XSS items 3-4: FortiManager v5.2.3 or earlier. Solutions: =========== No workarounds are currently available. Update to FortiManager v5.2.4. Exploit code(s): =============== 1- Persistent: https://localhost/cgi-bin/module/sharedobjmanager/firewall/SOMServiceObjDialog?devGrpId=18446744073709551615&deviceId=18446744073709551615&vdom=&adomId=3&vdomID=0&adomType=ems&cate=167&prodId=0&key=ALL&catetype=167&cate=167&permit_w=1&roid=189&startIndex=0&results=50 <div class="ui-comments-div"><textarea id="_comp_15" name="_comp_15" class="ui-comments-text" cols="58" maxlength="255" maxnum="255" placeholder="Write a comment" rows="1"><script>alert(666)</script></textarea><label class="ui-comments-remaining"> 2- Reflected https://localhost/cgi-bin/module/sharedobjmanager/policy_new/874/PolicyTable?vdom=%22%27/%3E%3C/script%3E%3Cscript%3Ealert%28%27[XSS%20FortiManager%20POC%20VM64%20v5.2.2%2008042015%20]\n\n%27%2bdocument.cookie%29%3C/script%3E Disclosure Timeline: ========================================================= Vendor Notification: August 4, 2015 September 24, 2015 : Public Disclosure Exploitation Technique: ======================= Remote & Local Severity Level: ========================================================= Medium (3) Description: ========================================================== Request Method(s): [+] GET Vulnerable Product: [+] FortiManager v5.2.2 & v5.2.3 or earlier Vulnerable Parameter(s): [+] vdom, textarea field Affected Area(s): [+] sharedobjmanager, SOMServiceObjDialog =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx

Multiple cross-site scripting (XSS) vulnerabilities in the Graphical User Interface (GUI) in Fortinet FortiManager before 5.2.4 allow remote attackers to inject arbitrary web script or HTML via the (1) sharedjobmanager or (2) SOMServiceObjDialog. Fortinet FortiManager is prone to a cross-site scripting vulnerability and an HTML-injection vulnerability. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. FortiManager 5.2.3 and prior versions are vulnerable. [+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-FORTIMANAGER-XSS-0924.txt Vendor: ================================ www.fortinet.com Product: ================================ FortiManager v5.2.2 FortiManager is a centralized security management appliance that allows you to centrally manage any number of Fortinet Network Security devices. 2 potential XSS vectors were identified: * XSS vulnerability in SOMVpnSSLPortalDialog. 2 potential XSS vectors were identified: * XSS vulnerability in sharedjobmanager. Affected Products XSS items 1-2: FortiManager v5.2.2 or earlier. XSS items 3-4: FortiManager v5.2.3 or earlier. Solutions: =========== No workarounds are currently available. Update to FortiManager v5.2.4. Exploit code(s): =============== 1- Persistent: https://localhost/cgi-bin/module/sharedobjmanager/firewall/SOMServiceObjDialog?devGrpId=18446744073709551615&deviceId=18446744073709551615&vdom=&adomId=3&vdomID=0&adomType=ems&cate=167&prodId=0&key=ALL&catetype=167&cate=167&permit_w=1&roid=189&startIndex=0&results=50 <div class="ui-comments-div"><textarea id="_comp_15" name="_comp_15" class="ui-comments-text" cols="58" maxlength="255" maxnum="255" placeholder="Write a comment" rows="1"><script>alert(666)</script></textarea><label class="ui-comments-remaining"> 2- Reflected https://localhost/cgi-bin/module/sharedobjmanager/policy_new/874/PolicyTable?vdom=%22%27/%3E%3C/script%3E%3Cscript%3Ealert%28%27[XSS%20FortiManager%20POC%20VM64%20v5.2.2%2008042015%20]\n\n%27%2bdocument.cookie%29%3C/script%3E Disclosure Timeline: ========================================================= Vendor Notification: August 4, 2015 September 24, 2015 : Public Disclosure Exploitation Technique: ======================= Remote & Local Severity Level: ========================================================= Medium (3) Description: ========================================================== Request Method(s): [+] GET Vulnerable Product: [+] FortiManager v5.2.2 & v5.2.3 or earlier Vulnerable Parameter(s): [+] vdom, textarea field Affected Area(s): [+] sharedobjmanager, SOMServiceObjDialog =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx

EasyIO EasyIO-30P-SF controllers with firmware before 0.5.21 and 2.x before 2.0.5.21, as used in Accutrol, Bar-Tech Automation, Infocon/EasyIO, Honeywell Automation India, Johnson Controls, SyxthSENSE, Transformative Wave Technologies, Tridium Asia Pacific, and Tridium Europe products, have a hardcoded password, which makes it easier for remote attackers to obtain access via unspecified vectors. EasyIO EasyIO-30P-SF is prone to a security-bypass vulnerability. A remote attacker may leverage this issue to gain access to the vulnerable device. EasyIO EasyIO-30P-SF is a 32-bit controller product developed by Malaysia EasyIO company and applied in DDC (direct digital control) system. A security vulnerability exists in EasyIO EasyIO-30P-SF controllers using firmware versions prior to 0.5.21 and 2.x versions prior to 2.0.5.21 due to the program's use of hard-coded passwords

The IPv6 snooping functionality in the first-hop security subsystem in Cisco IOS 12.2, 15.0, 15.1, 15.2, 15.3, 15.4, and 15.5 and IOS XE 3.2SE, 3.3SE, 3.3XO, 3.4SG, 3.5E, and 3.6E before 3.6.3E; 3.7E before 3.7.2E; 3.9S and 3.10S before 3.10.6S; 3.11S before 3.11.4S; 3.12S and 3.13S before 3.13.3S; and 3.14S before 3.14.2S allows remote attackers to cause a denial of service (device reload) via a malformed ND packet with the Cryptographically Generated Address (CGA) option, aka Bug ID CSCuo04400. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. A remote attacker exploiting this vulnerability could cause the affected device to be overloaded. These issues are being tracked by Cisco Bug IDs CSCuo04400, and CSCus19794. The following releases are affected: Cisco IOS Release 12.2, Release 15.0, Release 15.1, Release 15.2, Release 15.3, Release 15.4, Release 15.5, IOS XE Software Release 3.2SE, Release 3.3SE, Release 3.3XO, Release 3.4SG, Release 3.5E , 3.6E before 3.6.3E, 3.7E before 3.7.2E, 3.9S and 3.10S before 3.10.6S, 3.11S before 3.11.4S, 3.12S and 3.13S before 3.13.3S, 3.14 Version 3.14S before .2S

The management interface on Huawei FusionServer rack servers RH2288 V3 with software before V100R003C00SPC603, RH2288H V3 with software before V100R003C00SPC503, XH628 V3 with software before V100R003C00SPC602, RH1288 V3 with software before V100R003C00SPC602, RH2288A V2 with software before V100R002C00SPC701, RH1288A V2 with software before V100R002C00SPC502, RH8100 V3 with software before V100R003C00SPC110, CH222 V3 with software before V100R001C00SPC161, CH220 V3 with software before V100R001C00SPC161, and CH121 V3 with software before V100R001C00SPC161 does not limit the number of query attempts, which allows remote authenticated users to obtain credentials of higher-level users via a brute force attack. plural Huawei FusionServer The product contains vulnerabilities related to security functions.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Huawei FusionServer RH2288 V3 is a server product of Huawei Technologies, China. The Huawei FusionServer product failed to properly limit the number of query attempts, allowing remote attackers to obtain sensitive information through brute force attacks. Huawei FusionServer products are prone to multiple security-bypass vulnerabilities and a command-injection vulnerability. An attacker can exploit this issue to bypass certain security restrictions and aid in brute-force attacks or execute arbitrary commands in the context of the application; other attacks may also be possible. The vulnerability is caused by the program not correctly limiting the number of query attempts. The following products and versions are affected: Huawei FusionServer RH2288 V3 , RH2288H V3 and XH628 V3 V100R003C00 Version, FusionServer RH1288 V3 V100R003C00SPC100 Version, FusionServer RH2288A V2 and FusionServer RH1288A V2 V100R002C00 Version, FusionServer RH8100 V3 V100R003C00 Version, FusionServer CH222 V3 , CH220 V3 and CH121 V3 V100R001C00 version

The IPv6 snooping functionality in the first-hop security subsystem in Cisco IOS 12.2, 15.0, 15.1, 15.2, 15.3, 15.4, and 15.5 and IOS XE 3.2SE, 3.3SE, 3.3XO, 3.4SG, 3.5E, and 3.6E before 3.6.3E; 3.7E before 3.7.2E; 3.9S and 3.10S before 3.10.6S; 3.11S before 3.11.4S; 3.12S and 3.13S before 3.13.3S; and 3.14S before 3.14.2S does not properly implement the Control Plane Protection (aka CPPr) feature, which allows remote attackers to cause a denial of service (device reload) via a flood of ND packets, aka Bug ID CSCus19794. Vendors have confirmed this vulnerability Bug ID CSCus19794 It is released as.A large amount by a third party ND Service disruption via packets ( Device reload ) There is a possibility of being put into a state. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. A remote attacker exploiting this vulnerability could cause the affected device to be overloaded. These issues are being tracked by Cisco Bug IDs CSCuo04400, and CSCus19794. The vulnerability stems from the fact that the program does not implement the Control Plane Protection function correctly. The following releases are affected: Cisco IOS Release 12.2, Release 15.0, Release 15.1, Release 15.2, Release 15.3, Release 15.4, Release 15.5, IOS XE Software Release 3.2SE, Release 3.3SE, Release 3.3XO, Release 3.4SG, Release 3.5E , 3.6E before 3.6.3E, 3.7E before 3.7.2E, 3.9S and 3.10S before 3.10.6S, 3.11S before 3.11.4S, 3.12S and 3.13S before 3.13.3S, 3.14 Version 3.14S before .2S

The SSHv2 functionality in Cisco IOS 15.2, 15.3, 15.4, and 15.5 and IOS XE 3.6E before 3.6.3E, 3.7E before 3.7.1E, 3.10S before 3.10.6S, 3.11S before 3.11.4S, 3.12S before 3.12.3S, 3.13S before 3.13.3S, and 3.14S before 3.14.1S does not properly implement RSA authentication, which allows remote attackers to obtain login access by leveraging knowledge of a username and the associated public key, aka Bug ID CSCus73013. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. A remote attacker could exploit this vulnerability to bypass the user authentication mechanism. This may lead to further attacks. This issue is tracked by Cisco Bug ID CSCus73013. 3.11S version before 4S, 3.12S version before 3.12.3S, 3.13S version before 3.13.3S, 3.14S version before 3.14.1S

Cisco IOS XE 2.x and 3.x before 3.10.6S, 3.11.xS through 3.13.xS before 3.13.3S, and 3.14.xS through 3.15.xS before 3.15.1S allows remote attackers to cause a denial of service (device reload) via IPv4 packets that require NAT and MPLS actions, aka Bug ID CSCut96933. Cisco IOS XE There is a service disruption ( Device reload ) There are vulnerabilities that are put into a state. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. The vulnerability could be exploited by a remote attacker to overload the affected device. Attackers can exploit this issue to cause a reload of the affected device, resulting in denial-of-service condition. This issue is being tracked by Cisco Bug ID CSCut96933. The following releases are affected; Cisco IOS XE 2.x releases and 3.x releases prior to 3.10.6S, 3.11.xS releases to 3.13.xS releases prior to 3.13.3S, 3.14.xS releases and 3.15.xS releases prior to 3.15.1S

Cisco AnyConnect Secure Mobility Client 4.1(8) on OS X and Linux does not verify pathnames before installation actions, which allows local users to obtain root privileges via a crafted installation file, aka Bug ID CSCuv11947. Cisco AnyConnect Secure Mobility Client is prone to a local privilege-escalation vulnerability. A local attacker may exploit this issue to gain elevated system privileges on the device. This issue is being tracked by Cisco Bug ID CSCuv11947. The vulnerability is caused by the fact that the program does not verify the path name before performing the installation operation

The login page of the server on Huawei FusionServer rack servers RH2288 V3 with software before V100R003C00SPC603, RH2288H V3 with software before V100R003C00SPC503, XH628 V3 with software before V100R003C00SPC602, RH1288 V3 with software before V100R003C00SPC602, RH2288A V2 with software before V100R002C00SPC701, RH1288A V2 with software before V100R002C00SPC502, RH8100 V3 with software before V100R003C00SPC110, CH222 V3 with software before V100R001C00SPC161, CH220 V3 with software before V100R001C00SPC161, and CH121 V3 with software before V100R001C00SPC161 allows remote attackers to bypass access restrictions and enter commands via unspecified parameters, as demonstrated by a "user creation command.". plural Huawei FusionServer The product contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Huawei FusionServer RH2288 V3 is a server product of Huawei Technologies, China. The Huawei FusionServer product has a security vulnerability that allows remote attackers to submit special requests to change parameters in the login page and inject commands. Huawei FusionServer products are prone to multiple security-bypass vulnerabilities and a command-injection vulnerability. An attacker can exploit this issue to bypass certain security restrictions and aid in brute-force attacks or execute arbitrary commands in the context of the application; other attacks may also be possible. A command injection vulnerability exists in the server login page of several Huawei FusionServer products. The following products and versions are affected: Huawei FusionServer RH2288 V3 , RH2288H V3 and XH628 V3 V100R003C00 Version, FusionServer RH1288 V3 V100R003C00SPC100 Version, FusionServer RH2288A V2 and FusionServer RH1288A V2 V100R002C00 Version, FusionServer RH8100 V3 V100R003C00 Version, FusionServer CH222 V3 , CH220 V3 and CH121 V3 V100R001C00 version

Huawei FusionServer rack servers RH2288 V3 with software before V100R003C00SPC603, RH2288H V3 with software before V100R003C00SPC503, XH628 V3 with software before V100R003C00SPC602, RH1288 V3 with software before V100R003C00SPC602, RH2288A V2 with software before V100R002C00SPC701, RH1288A V2 with software before V100R002C00SPC502, RH8100 V3 with software before V100R003C00SPC110, CH222 V3 with software before V100R001C00SPC161, CH220 V3 with software before V100R001C00SPC161, and CH121 V3 with software before V100R001C00SPC161 allow remote authenticated operators to change server information by leveraging failure to verify user permissions. plural Huawei FusionServer Contains a permission vulnerability.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. Huawei FusionServer RH2288 V3 is a server product of Huawei Technologies, China. The Huawei FusionServer product has a security vulnerability that allows remote attackers to submit special requests to change server information. Huawei FusionServer products are prone to multiple security-bypass vulnerabilities and a command-injection vulnerability. An attacker can exploit this issue to bypass certain security restrictions and aid in brute-force attacks or execute arbitrary commands in the context of the application; other attacks may also be possible. The following products and versions are affected: Huawei FusionServer RH2288 V3 , RH2288H V3 and XH628 V3 V100R003C00 Version, FusionServer RH1288 V3 V100R003C00SPC100 Version, FusionServer RH2288A V2 and FusionServer RH1288A V2 V100R002C00 Version, FusionServer RH8100 V3 V100R003C00 Version, FusionServer CH222 V3 , CH220 V3 and CH121 V3 V100R001C00 version

Untrusted search path vulnerability in the CMainThread::launchDownloader function in vpndownloader.exe in Cisco AnyConnect Secure Mobility Client 2.0 through 4.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by dbghelp.dll, aka Bug ID CSCuv01279. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-4211. Vendors have confirmed this vulnerability Bug ID CSCuv01279 It is released as. Supplementary information : CWE Vulnerability type by CWE-426: Untrusted Search Path ( Unreliable search path ) Has been identified. http://cwe.mitre.org/data/definitions/426.htmlA local user can create a Trojan horse in the current working directory. DLL You may get permission through. A local attacker may exploit this issue to gain elevated system privileges on the device

The Cisco Spark application 2015-07-04 for mobile operating systems does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate, aka Bug IDs CSCut36742 and CSCut36844. Vendors have confirmed this vulnerability Bug ID CSCut36742 ,and CSCut36844 It is released as.Man-in-the-middle attacks (man-in-the-middle attack) May masquerade as a server through a crafted certificate and retrieve important information. Cisco Spark is prone to an information-disclosure vulnerability. An attacker can exploit this issue to perform man-in-the-middle attacks and obtain sensitive information. Successful exploits will lead to other attacks. This issue is being tracked by Cisco Bug IDs CSCut36742 and CSCut36844. By providing a virtual space, the solution allows teams at any location to work together, call and video, discuss issues, store team files and documents, etc

IBC Solar ServeMaster TLP+ and Danfoss TLX Pro+ allow remote attackers to discover cleartext passwords by reading HTML source code. ServeMaster TLP+ and Danfoss TLX Pro+ are web-based SCADA systems. The attacker can use this vulnerability to obtain plain text passwords by viewing the source code of the web page. Multiple IBC Solar Products are prone to multiple cross-site-scripting and information-disclosure vulnerabilities. An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks

Multiple cross-site scripting (XSS) vulnerabilities in IBC Solar ServeMaster TLP+ and Danfoss TLX Pro+ allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. ServeMaster TLP+ and Danfoss TLX Pro+ are web-based SCADA systems. An attacker could exploit this vulnerability to perform an XSS attack. Multiple IBC Solar Products are prone to multiple cross-site-scripting and information-disclosure vulnerabilities. An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks

The interpreter in IBC Solar ServeMaster TLP+ and Danfoss TLX Pro+ allows remote attackers to discover script source code via unspecified vectors. ServeMaster TLP+ and Danfoss TLX Pro+ are web-based SCADA systems. Multiple IBC Solar Products are prone to multiple cross-site-scripting and information-disclosure vulnerabilities. An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks

Resource Data Management Data Manager before 2.2 allows remote authenticated users to modify arbitrary passwords via unspecified vectors. Resource Data Management is a web-based SCADA monitoring system. An attacker could exploit this vulnerability to increase privileges and change the password of any user. Versions prior to Data Manager 2.2 are vulnerable

Cross-site request forgery (CSRF) vulnerability in Cisco TelePresence Server software 3.0(2.24) allows remote attackers to hijack the authentication of arbitrary users, aka Bug IDs CSCut63718, CSCut63724, and CSCut63760. Vendors have confirmed this vulnerability Bug ID CSCut63718 , CSCut63724 ,and CSCut63760 It is released as.A third party may be able to hijack the authentication of any user. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. This issue is being tracked by Cisco Bug IDs CSCut63718, CSCut63724, and CSCut63760. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect