VARIoT IoT vulnerabilities database

SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 and possibly earlier allows remote authenticated users to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php. NOTE: this issue might be a duplicate of CVE-2011-4559. vTiger CRM of CalendarCommon.php Is SQL An injection vulnerability exists. vtiger CRM is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. vtiger CRM 5.4.0 is vulnerable; prior versions may also be affected. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. The vulnerability is caused by the program not adequately filtering the 'onlyforuser' parameter passed to the index.php script

The Twitter subsystem in Apple iOS before 7 does not require API conformity for access to Twitter daemon interfaces, which allows attackers to post Tweets via a crafted app that sends direct requests to the daemon. Apple iOS for the iPhone, the iPod touch, and the iPad is prone to a security-bypass vulnerability. Successful exploits may allow attackers to bypass sandbox security restrictions and perform unauthorized actions. Note: This issue was previously covered in BID 62491 (Apple iPhone/iPad/iPod touch Prior to iOS 7 Multiple Vulnerabilities), but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices

The access policy logon page (logon.inc) in F5 BIG-IP APM 11.1.0 through 11.2.1 allows remote attackers to conduct clickjacking attacks via unspecified vectors. F5 BIG-IP APM is prone to a clickjacking vulnerability. Successful exploits will allow an authenticated attacker to compromise the affected application or obtain sensitive information. Other attacks are also possible. F5 BIG-IP APM 11.1.0 through 11.2.1 are vulnerable. other versions may also be affected. F5 BIG-IP Access Policy Manager (APM) is a set of access and security solutions from F5 Corporation of the United States. The solution provides unified access to business-critical applications and networks. A remote attacker can exploit this vulnerability to implement clickjacking attacks

The Sandbox subsystem in Apple iOS before 7 determines the sandboxing requirement for a #! application on the basis of the script interpreter instead of the script, which allows attackers to bypass intended access restrictions via a crafted application. Apple iOS for the iPhone, the iPod touch, and the iPad is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass intended sandbox restrictions and perform unauthorized actions. This may aid in further attacks. Note: This issue was previously covered in BID 62491 (Apple iPhone/iPad/iPod touch Prior to iOS 7 Multiple Vulnerabilities), but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices

Springboard in Apple iOS before 7 does not properly manage the lock state in Lost Mode, which allows physically proximate attackers to read notifications via unspecified vectors. Apple iOS for iPhone, iPod touch, and iPad is prone to an information-disclosure vulnerability. Local attackers can leverage this issue to gain access to sensitive information. Information obtained may aid in further attacks. Note: This issue was previously covered in BID 62491 (Apple iPhone/iPad/iPod touch Prior to iOS 7 Multiple Vulnerabilities), but has been given its own record to better document it. Springboard is a set of iDevice desktops of Apple (Apple). A security vulnerability exists in the Springboard desktop in Apple iOS 6.1.4 and earlier versions. The vulnerability stems from the program not properly managing the locked state in Lost mode

The kernel in Apple iOS before 7 does not initialize unspecified kernel data structures, which allows local users to obtain sensitive information from kernel stack memory via the (1) msgctl API or (2) segctl API. Apple iOS for iPhone, iPod touch, and iPad is prone to multiple information-disclosure vulnerabilities. Local attackers can leverage these issues to gain access to sensitive information. Information obtained may aid in further attacks. Note: This issue was previously covered in BID 62491 (Apple iPhone/iPad/iPod touch Prior to iOS 7 Multiple Vulnerabilities), but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. There is a buffer overflow vulnerability in the kernel of Apple iOS 6.1.4 and earlier versions. The vulnerability is caused by the program not initializing the kernel data structure

Mobile Safari in Apple iOS before 7 allows remote attackers to spoof the URL bar via a crafted web site. Apple iOS for the iPhone, the iPod touch, and the iPad is prone to a URI-spoofing vulnerability. An attacker can then display spoofed site contents to the user that seemingly originate from the trusted site. This allows a remote attacker to carry out phishing attacks. Other attacks may be possible. Note: This issue was previously covered in BID 62491 (Apple iPhone/iPad/iPod touch Prior to iOS 7 Multiple Vulnerabilities), but has been given its own record to better document it. Apple Mobile Safari is a browser developed by Apple (Apple) for mobile devices

Mobile Safari in Apple iOS before 7 does not prevent HTML interpretation of a document served with a text/plain content type, which allows remote attackers to conduct cross-site scripting (XSS) attacks by uploading a file. Apple iOS for iPhone, iPod touch, and iPad is prone to a cross-site scripting vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Note: This issue was previously covered in BID 62491 (Apple iPhone/iPad/iPod touch Prior to iOS 7 Multiple Vulnerabilities), but has been given its own record to better document it. Apple Mobile Safari is a browser developed by Apple (Apple) for mobile devices. The program does not prevent the server from sending documents with the content type of 'Content-Type: text/plain'

The kernel in Apple iOS before 7 allows remote attackers to cause a denial of service (assertion failure and device restart) via an invalid packet fragment. Apple iOS for the iPhone, iPod touch, and iPad is prone to a denial-of-service vulnerability. Successfully exploiting this issue will allow attackers to cause denial-of-service conditions. Note: This issue was previously covered in BID 62491 (Apple iPhone/iPad/iPod touch Prior to iOS 7 Multiple Vulnerabilities), but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices

The kernel in Apple iOS before 7 uses an incorrect data size for a certain integer variable, which allows attackers to cause a denial of service (infinite loop and device hang) via a crafted application, related to an "integer truncation vulnerability.". Apple iOS for the iPhone, iPod touch, and iPad is prone to a denial-of-service vulnerability. Successfully exploiting this issue will allow attackers to cause denial-of-service conditions. Note: This issue was previously covered in BID 62491 (Apple iPhone/iPad/iPod touch Prior to iOS 7 Multiple Vulnerabilities), but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. A Numeric Error vulnerability exists in the kernel in Apple iOS 6.1.4 and earlier. The vulnerability results from the program using incorrect data values ​​for integer variables

WebKit in Apple iOS before 7 allows remote attackers to bypass the Same Origin Policy and obtain potentially sensitive information about use of the window.webkitRequestAnimationFrame API via an IFRAME element. Apple iOS for iPhone, iPod touch, and iPad is prone to an information-disclosure vulnerability. Attackers can leverage this issue to gain access to sensitive information. Information obtained may aid in further attacks. Note: This issue was previously covered in BID 62491 (Apple iPhone/iPad/iPod touch Prior to iOS 7 Multiple Vulnerabilities), but has been given its own record to better document it. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. An information disclosure vulnerability exists in the WebKit browser engine in Apple iOS 6.1.4 and earlier

The Social subsystem in Apple iOS before 7 does not properly restrict access to the cache of Twitter icons, which allows physically proximate attackers to obtain sensitive information about recent Twitter interaction via unspecified vectors. Apple iOS for iPhone, iPod touch, and iPad is prone to an information-disclosure vulnerability. Local attackers can leverage this issue to gain access to sensitive information. Information obtained may aid in further attacks. Note: This issue was previously covered in BID 62491 (Apple iPhone/iPad/iPod touch Prior to iOS 7 Multiple Vulnerabilities), but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. A security vulnerability exists in the Social subsystem in Apple iOS 6.1.4 and earlier versions

The Telephony subsystem in Apple iOS before 7 does not require API conformity for access to telephony-daemon interfaces, which allows attackers to bypass intended restrictions on phone calls via a crafted app that sends direct requests to the daemon. Apple iOS for the iPhone, the iPod touch, and the iPad is prone to a security-bypass vulnerability. Successful exploits may allow attackers to bypass sandbox security restrictions and perform unauthorized actions. Note: This issue was previously covered in BID 62491 (Apple iPhone/iPad/iPod touch Prior to iOS 7 Multiple Vulnerabilities), but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices

The Sandbox subsystem in Apple iOS before 7 allows attackers to cause a denial of service (infinite loop) via an application that writes crafted values to /dev/random. Apple iOS for iPhone, iPod touch, and iPad is prone to a denial-of-service vulnerability. Successfully exploiting this issue will allow attackers to cause denial-of-service conditions. Note: This issue was previously covered in BID 62491 (Apple iPhone/iPad/iPod touch Prior to iOS 7 Multiple Vulnerabilities), but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices

Passcode Lock in Apple iOS before 7 does not properly manage the lock state, which allows physically proximate attackers to bypass an intended passcode requirement by leveraging a race condition involving phone calls and ejection of a SIM card. Apple iOS for the iPhone, the iPod touch, and the iPad is prone to a local security-bypass vulnerability. An attacker with physical access to a device can exploit this issue to bypass the screen lock. Successful exploits may lead to other attacks. Note: This issue was previously covered in BID 62491 (Apple iPhone/iPad/iPod touch Prior to iOS 7 Multiple Vulnerabilities), but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. The vulnerability is caused by the program not properly managing the lock state

The Push Notifications subsystem in Apple iOS before 7 provides the push-notification token to an app without user approval, which allows attackers to obtain sensitive information via an app that employs a crafted push-notification registration process. Apple iOS for the iPhone, the iPod touch, and the iPad is prone to an information-disclosure vulnerability. Attackers can leverage this issue to gain access to sensitive information. Information obtained may aid in further attacks. Note: This issue was previously covered in BID 62491 (Apple iPhone/iPad/iPod touch Prior to iOS 7 Multiple Vulnerabilities), but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices

kextd in Kext Management in Apple iOS before 7 does not properly verify authorization for IPC messages, which allows local users to (1) load or (2) unload kernel extensions via a crafted message. Apple iOS for the iPhone, the iPod touch, and the iPad is prone to a local security-bypass vulnerability. Local attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions. Note: This issue was previously covered in BID 62491 (Apple iPhone/iPad/iPod touch Prior to iOS 7 Multiple Vulnerabilities), but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices

Multiple cross-site scripting (XSS) vulnerabilities in WebKit in Apple iOS before 7 allow user-assisted remote attackers to inject arbitrary web script or HTML via vectors involving a (1) drag-and-drop or (2) copy-and-paste operation. Apple iOS Used in etc. Apple iOS for iPhone, iPod touch, and iPad is prone to a cross-site scripting vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Note: This issue was previously covered in BID 62491 (Apple iPhone/iPad/iPod touch Prior to iOS 7 Multiple Vulnerabilities), but has been given its own record to better document it. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome

Cross-site scripting (XSS) vulnerability in WebKit in Apple iOS before 7 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. Apple iOS Used in etc. Apple iOS for iPhone, iPod touch, and iPad is prone to a cross-site scripting vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Note: This issue was previously covered in BID 62491 (Apple iPhone/iPad/iPod touch Prior to iOS 7 Multiple Vulnerabilities), but has been given its own record to better document it. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome

IOCatalogue in IOKitUser in Apple iOS before 7 allows attackers to cause a denial of service (NULL pointer dereference and device crash) via a crafted application. Apple iOS for the iPhone, iPod touch, and iPad is prone to a denial-of-service vulnerability. Successfully exploiting this issue will allow attackers to cause denial-of-service conditions. Note: This issue was previously covered in BID 62491 (Apple iPhone/iPad/iPod touch Prior to iOS 7 Multiple Vulnerabilities), but has been given its own record to better document it. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. A denial of service vulnerability exists in the IOCatalogue file in IOKitUser in Apple iOS 6.1.4 and earlier