VARIoT IoT vulnerabilities database
| VAR-201401-0503 | CVE-2014-1407 | Conceptronic C54APM Cross-Site Scripting Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities on the Conceptronic C54APM access point with runtime code 1.26 allow remote attackers to inject arbitrary web script or HTML via (1) the submit-url parameter in a Refresh action to goform/formWlSiteSurvey or (2) the wlan-url parameter to goform/formWlanSetup. (1) goform/formWlSiteSurvey of Refresh action of submit-url Parameters (2) goform/formWlanSetup of wlan-url Parameters. The Conceptronic C54APM is a wireless AP device. A cross-site scripting vulnerability exists in the Conceptronic C54APM device. The \342\200\230wlan-url\342\200\231 parameter was not properly filtered because the goform/formWlSiteSurvey page failed to properly filter the \342\200\230submit-url\342\200\231 parameter in the Refresh operation and the goform/formWlanSetup script. Conceptronic C54APM is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Conceptronic C54APM 2.0 running firmware 1.26 is vulnerable; other versions may be affected. Conceptronic C54APM is a wireless access device produced by German Conceptronic Company
| VAR-201401-0504 | CVE-2014-1408 | Conceptronic C54APM Access point acquisition vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The Conceptronic C54APM access point with runtime code 1.26 has a default password of admin for the admin account, which makes it easier for remote attackers to obtain access via an HTTP request, as demonstrated by stored XSS attacks. The Conceptronic C54APM is a wireless AP device. The Conceptronic C54APM has an unsafe default password vulnerability. Because the program uses the default password for the management account. Conceptronic C54APM 2.0 is prone to an insecure-default-password vulnerability.
Conceptronic C54APM 2.0 running firmware 1.26 is vulnerable. Conceptronic C54APM is a wireless access device produced by German Conceptronic Company. There is a trust management vulnerability in the Conceptronic C54APM device using the Runtime Code 1.26 accessor
| VAR-201401-0167 | CVE-2013-6974 | Cisco Secure Access Control System of Web Interface cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the web interface in Cisco Secure Access Control System (ACS) allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCud89431. Cisco Secure ACS is a central management platform for Cisco network devices that controls device authentication and authorization. An attacker can exploit this vulnerability by enticing a user to access a malicious link due to insufficient parameter input validation.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue is being tracked by Cisco Bug ID CSCud89431. The system can respectively control network access and network device access through RADIUS and TACACS protocols
| VAR-201409-1255 | No CVE | Multiple vulnerabilities in multiple TP-LINK routers |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
TP-Link is a well-known supplier of network and communication equipment. Cross-site request forgery and HTML injection vulnerabilities existed on multiple TP-LINK routers because the program failed to properly filter user-supplied input. An attacker can use this to perform certain unauthorized actions, execute arbitrary scripts or HTML code in the browser context, or steal authentication credentials from a cookie. Other attacks are also possible
| VAR-201401-0052 | CVE-2013-2819 | Sierra Wireless AirLink Raven X EV-DO Gateway Trojan Firmware Installation Vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
The Sierra Wireless AirLink Raven X EV-DO gateway 4221_4.0.11.003 and 4228_4.0.11.003 allows remote attackers to install Trojan horse firmware by leveraging cleartext credentials in a crafted (1) update or (2) reprogramming action. AirLink Raven X EV-DO is a small 3G network smart modem. AirLink Raven X EV-DO has an information disclosure vulnerability. Because the program fails to use encryption during the update and reprogramming process, the attacker can reprogram the firmware using the username and password stored in clear text. AirLink Raven X EV-DO is prone to an information-disclosure vulnerability
Successful exploits will allow attackers to obtain sensitive information, such as user credentials, that may lead to further attacks
| VAR-201401-0053 | CVE-2013-2820 | AirLink Raven X EV-DO Replay Security Bypass Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The Sierra Wireless AirLink Raven X EV-DO gateway 4221_4.0.11.003 and 4228_4.0.11.003 allows remote attackers to reprogram the firmware via a replay attack using UDP ports 17336 and 17388. AirLink Raven X EV-DO is a small 3G network smart modem. Allows remote attackers to exploit vulnerabilities to send specially crafted requests to the 17336/UDP and 17388/UDP ports to reprogram the device firmware image, bypassing authentication and unauthorized access to the device.
Successful exploits may allow attackers to bypass authentication through a replay attack and perform unauthorized actions
| VAR-201401-0357 | CVE-2014-0651 | Cisco Context Directory Agent Vulnerabilities that gain management access in the management interface |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
The administrative interface in Cisco Context Directory Agent (CDA) does not properly enforce authorization requirements, which allows remote authenticated users to obtain administrative access by hijacking a session, aka Bug ID CSCuj45347.
An authenticated attacker can exploit this issue to gain access to services with escalated privileges.
This issue is tracked by Cisco Bug ID CSCuj45347. The vulnerability stems from the program's improper implementation of authentication operations. A remote attacker could exploit this vulnerability to perform administrative operations by hijacking a session
| VAR-201401-0359 | CVE-2014-0653 | Cisco Adaptive Security Appliance Software Identity Firewall Vulnerabilities that trigger changes in authentication status in functions |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The Identity Firewall (IDFW) functionality in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to trigger authentication-state modifications via a crafted NetBIOS logout probe response, aka Bug ID CSCuj45340.
Successfully exploiting this issue will allow an attacker to perform certain unauthorized actions. This may lead to other attacks.
This issue is being tracked by Cisco Bug ID CSCuj45340. A remote attacker could exploit this vulnerability to affect the current authorized user's access
| VAR-201401-0360 | CVE-2014-0654 | Cisco Context Directory Agent Cache modification vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cisco Context Directory Agent (CDA) allows remote attackers to modify the cache via a replay attack involving crafted RADIUS accounting messages, aka Bug ID CSCuj45383.
An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions.
This issue is being tracked by Cisco Bug ID CSCuj45383. The vulnerability is caused by the program not filtering RADIUS accounting messages sufficiently. A remote attacker could exploit this vulnerability to modify the cache through a redirection attack
| VAR-201401-0361 | CVE-2014-0655 | Cisco Adaptive Security Appliance Software Identity Firewall Vulnerability to change the contents of the user cache in the function |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The Identity Firewall (IDFW) functionality in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to change the user-cache contents via a replay attack involving crafted RADIUS Change of Authorization (CoA) messages, aka Bug ID CSCuj45332.
Successfully exploiting this issue will allow an attacker to perform replay attacks. This may lead to other attacks.
This issue is being tracked by Cisco Bug ID CSCuj45332
| VAR-201401-0362 | CVE-2014-0656 | Cisco Context Directory Agent Vulnerabilities triggered by missing user interface data |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
Cisco Context Directory Agent (CDA) allows remote authenticated users to trigger the omission of certain user-interface data via crafted field values, aka Bug ID CSCuj45353.
An attacker can exploit this issue to hide values from displaying in the CDA user interface. This may also aid in launching further attacks. Cisco Context Directory Agent (CDA) is a set of Cisco (Cisco) company running on Cisco Linux machines for real-time monitoring Active Directory Domain Controller (DC) authentication and other related events. A security vulnerability exists in Cisco CDA
| VAR-201401-0363 | CVE-2014-0657 | Cisco Unified Communications Manager Unauthorized Access Vulnerability |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
The administration portal in Cisco Unified Communications Manager (Unified CM) 9.1(1) and earlier does not properly handle role restrictions, which allows remote authenticated users to bypass role-based access control via multiple visits to a forbidden portal URL, aka Bug ID CSCuj83540. This may aid in further attacks.
This issue is being tracked by Cisco Bug ID CSCuj83540. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. The vulnerability is caused by the program not properly managing role permissions
| VAR-201401-0358 | CVE-2014-0652 | Cisco Context Directory Agent Cross-site scripting vulnerability in the mapping page |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the Mappings page in Cisco Context Directory Agent (CDA) allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCuj45358.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue is being tracked by Cisco Bug ID CSCuj45358
| VAR-201406-0230 | CVE-2014-4027 | Linux kernel of drivers/target/target_core_rd.c Inside rd_build_device_space Vulnerabilities that capture important information in functions |
CVSS V2: 2.3 CVSS V3: - Severity: LOW |
The rd_build_device_space function in drivers/target/target_core_rd.c in the Linux kernel before 3.14 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from ramdisk_mcp memory by leveraging access to a SCSI initiator. Linux Kernel is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to obtain sensitive information; information obtained may aid in other attacks.
Linux Kernel 2.6.38 through versions prior to 3.14 are affected. The NFSv4 implementation is one of the distributed file system protocols. The vulnerability is due to the fact that the program does not initialize the data structure correctly. ============================================================================
Ubuntu Security Notice USN-2336-1
September 02, 2014
linux-lts-trusty vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-lts-trusty: Linux hardware enablement kernel from Trusty
Details:
A flaw was discovered in the Linux kernel virtual machine's (kvm)
validation of interrupt requests (irq). A guest OS user could exploit this
flaw to cause a denial of service (host OS crash). (CVE-2014-0155)
Andy Lutomirski discovered a flaw in the authorization of netlink socket
operations when a socket is passed to a process of more privilege.
(CVE-2014-0181)
An information leak was discovered in the Linux kernels
aio_read_events_ring function. (CVE-2014-4027)
Sasha Levin reported an issue with the Linux kernel's shared memory
subsystem when used with range notifications and hole punching. (CVE-2014-4171)
Toralf F=C3=B6rster reported an error in the Linux kernels syscall auditing on
32 bit x86 platforms.
(CVE-2014-4653)
A authorization bug was discovered with the snd_ctl_elem_add function of
the Advanced Linux Sound Architecture (ALSA) in the Linux kernel. (CVE-2014-4654)
A flaw discovered in how the snd_ctl_elem function of the Advanced Linux
Sound Architecture (ALSA) handled a reference count. A local user could
exploit this flaw to cause a denial of service (integer overflow and limit
bypass). (CVE-2014-4667)
Vasily Averin discover a reference count flaw during attempts to umount in
conjunction with a symlink. (CVE-2014-5045)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.13.0-35-generic 3.13.0-35.62~precise1
linux-image-3.13.0-35-generic-lpae 3.13.0-35.62~precise1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well. (CVE-2014-4943)
Michael S. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: kernel-rt security update
Advisory ID: RHSA-2014:0913-01
Product: Red Hat Enterprise MRG for RHEL-6
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0913.html
Issue date: 2014-07-22
CVE Names: CVE-2014-0181 CVE-2014-0206 CVE-2014-3144
CVE-2014-3145 CVE-2014-3153 CVE-2014-3917
CVE-2014-3940 CVE-2014-4027 CVE-2014-4667
CVE-2014-4699
=====================================================================
1. Summary:
Updated kernel-rt packages that fix multiple security issues are now
available for Red Hat Enterprise MRG 2.5.
The Red Hat Security Response Team has rated this update as having
Important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
2. Relevant releases/architectures:
MRG Realtime for RHEL 6 Server v.2 - noarch, x86_64
3.
* A flaw was found in the way the Linux kernel's futex subsystem handled
the requeuing of certain Priority Inheritance (PI) futexes. A local,
unprivileged user could use this flaw to escalate their privileges on the
system. (CVE-2014-3153, Important)
* It was found that the Linux kernel's ptrace subsystem allowed a traced
process' instruction pointer to be set to a non-canonical memory address
without forcing the non-sysret code path when returning to user space.
A local, unprivileged user could use this flaw to crash the system or,
potentially, escalate their privileges on the system. (CVE-2014-4699,
Important)
Note: The CVE-2014-4699 issue only affected systems using an Intel CPU.
* It was found that the permission checks performed by the Linux kernel
when a netlink message was received were not sufficient. A local,
unprivileged user could potentially bypass these restrictions by passing a
netlink socket as stdout or stderr to a more privileged process and
altering the output of this process. (CVE-2014-0181, Moderate)
* It was found that the aio_read_events_ring() function of the Linux
kernel's Asynchronous I/O (AIO) subsystem did not properly sanitize the AIO
ring head received from user space. A local, unprivileged user could use
this flaw to disclose random parts of the (physical) memory belonging to
the kernel and/or other processes. (CVE-2014-0206, Moderate)
* An out-of-bounds memory access flaw was found in the Netlink Attribute
extension of the Berkeley Packet Filter (BPF) interpreter functionality in
the Linux kernel's networking implementation. A local, unprivileged user
could use this flaw to crash the system or leak kernel memory to user space
via a specially crafted socket filter. (CVE-2014-3144, CVE-2014-3145,
Moderate)
* An out-of-bounds memory access flaw was found in the Linux kernel's
system call auditing implementation. On a system with existing audit rules
defined, a local, unprivileged user could use this flaw to leak kernel
memory to user space or, potentially, crash the system. (CVE-2014-3917,
Moderate)
* A flaw was found in the way Linux kernel's Transparent Huge Pages (THP)
implementation handled non-huge page migration. A local, unprivileged user
could use this flaw to crash the kernel by migrating transparent hugepages.
(CVE-2014-3940, Moderate)
* An integer underflow flaw was found in the way the Linux kernel's Stream
Control Transmission Protocol (SCTP) implementation processed certain
COOKIE_ECHO packets. By sending a specially crafted SCTP packet, a remote
attacker could use this flaw to prevent legitimate connections to a
particular SCTP server socket to be made. (CVE-2014-4667, Moderate)
* An information leak flaw was found in the RAM Disks Memory Copy (rd_mcp)
backend driver of the iSCSI Target subsystem of the Linux kernel.
A privileged user could use this flaw to leak the contents of kernel memory
to an iSCSI initiator remote client. (CVE-2014-4027, Low)
Red Hat would like to thank Kees Cook of Google for reporting
CVE-2014-3153, Andy Lutomirski for reporting CVE-2014-4699 and
CVE-2014-0181, and Gopal Reddy Kodudula of Nokia Siemens Networks for
reporting CVE-2014-4667. Google acknowledges Pinkie Pie as the original
reporter of CVE-2014-3153. The CVE-2014-0206 issue was discovered by
Mateusz Guzik of Red Hat.
Users are advised to upgrade to these updated packages, which upgrade the
kernel-rt kernel to version kernel-rt-3.10.33-rt32.43 and correct these
issues. The system must be rebooted for this update to take effect.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258
To install kernel packages manually, use "rpm -ivh [package]". Do not use
"rpm -Uvh" as that will remove the running kernel binaries from your
system. You may use "rpm -e" to remove old kernels after determining that
the new kernel functions properly on your system.
5. Bugs fixed (https://bugzilla.redhat.com/):
1094265 - CVE-2014-0181 kernel: net: insufficient permision checks of netlink messages
1094602 - CVE-2014-0206 kernel: aio: insufficient sanitization of head in aio_read_events_ring()
1096775 - CVE-2014-3144 CVE-2014-3145 Kernel: filter: prevent nla extensions to peek beyond the end of the message
1102571 - CVE-2014-3917 kernel: DoS with syscall auditing
1103626 - CVE-2014-3153 kernel: futex: pi futexes requeue issue
1104097 - CVE-2014-3940 Kernel: missing check during hugepage migration
1108744 - CVE-2014-4027 Kernel: target/rd: imformation leakage
1113967 - CVE-2014-4667 kernel: sctp: sk_ack_backlog wrap-around problem
1115927 - CVE-2014-4699 kernel: x86_64: ptrace: sysret to non-canonical address
6. Package List:
MRG Realtime for RHEL 6 Server v.2:
Source:
kernel-rt-3.10.33-rt32.43.el6rt.src.rpm
noarch:
kernel-rt-doc-3.10.33-rt32.43.el6rt.noarch.rpm
kernel-rt-firmware-3.10.33-rt32.43.el6rt.noarch.rpm
x86_64:
kernel-rt-3.10.33-rt32.43.el6rt.x86_64.rpm
kernel-rt-debug-3.10.33-rt32.43.el6rt.x86_64.rpm
kernel-rt-debug-debuginfo-3.10.33-rt32.43.el6rt.x86_64.rpm
kernel-rt-debug-devel-3.10.33-rt32.43.el6rt.x86_64.rpm
kernel-rt-debuginfo-3.10.33-rt32.43.el6rt.x86_64.rpm
kernel-rt-debuginfo-common-x86_64-3.10.33-rt32.43.el6rt.x86_64.rpm
kernel-rt-devel-3.10.33-rt32.43.el6rt.x86_64.rpm
kernel-rt-trace-3.10.33-rt32.43.el6rt.x86_64.rpm
kernel-rt-trace-debuginfo-3.10.33-rt32.43.el6rt.x86_64.rpm
kernel-rt-trace-devel-3.10.33-rt32.43.el6rt.x86_64.rpm
kernel-rt-vanilla-3.10.33-rt32.43.el6rt.x86_64.rpm
kernel-rt-vanilla-debuginfo-3.10.33-rt32.43.el6rt.x86_64.rpm
kernel-rt-vanilla-devel-3.10.33-rt32.43.el6rt.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2014-0181.html
https://www.redhat.com/security/data/cve/CVE-2014-0206.html
https://www.redhat.com/security/data/cve/CVE-2014-3144.html
https://www.redhat.com/security/data/cve/CVE-2014-3145.html
https://www.redhat.com/security/data/cve/CVE-2014-3153.html
https://www.redhat.com/security/data/cve/CVE-2014-3917.html
https://www.redhat.com/security/data/cve/CVE-2014-3940.html
https://www.redhat.com/security/data/cve/CVE-2014-4027.html
https://www.redhat.com/security/data/cve/CVE-2014-4667.html
https://www.redhat.com/security/data/cve/CVE-2014-4699.html
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFTzronXlSAg2UNWIIRArVpAKCkgJOnYjb7yjtHsGw5upf04nuVCgCdHPgl
t/C/rKSGYdFAx2jHSiE4s7U=
=JzfF
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201401-0160 | CVE-2013-6922 | Seagate BlackArmor NAS 220 Device firmware cross-site request forgery vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Multiple cross-site request forgery (CSRF) vulnerabilities in the Seagate BlackArmor NAS 220 devices with firmware sg2000-2000.1331 allow remote attackers to hijack the authentication of administrators for requests that (1) add user accounts via a crafted request to admin/access_control_user_add.php; (2) modify or (3) delete user accounts; (4) perform a factory reset; (5) perform a device reboot; or (6) add, (7) modify, or (8) delete shares and volumes. The Seagate BlackArmor NAS is a network storage device. BlackArmor NAS 220 storage server is prone to the following remote security vulnerabilities:
1. Multiple cross-site request forgery vulnerabilities
2. Multiple HTML-injection vulnerabilities
3. An arbitrary code-execution vulnerability
Attackers can exploit these issues to perform certain unauthorized actions, execute HTML and script code and steal cookie-based authentication credentials and execute arbitrary code. Other attacks are possible.
BlackArmor NAS 220 running firmware sg2000-2000.1331 is vulnerable; other versions may also be affected. It can provide layered protection, data increment and system backup and recovery for business-critical data
| VAR-201401-0161 | CVE-2013-6923 | Seagate BlackArmor NAS 220 Cross-site scripting vulnerability in device firmware |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in Seagate BlackArmor NAS 220 devices with firmware sg2000-2000.1331 allow remote attackers to inject arbitrary web script or HTML via the (1) fullname parameter to admin/access_control_user_edit.php or (2) workname parameter to admin/network_workgroup_domain.php. The Seagate BlackArmor NAS is a network storage device. The workgroup configuration is subject to a persistent cross-site scripting attack. When a user is added to the device, the application does not properly filter the user name field data, allowing the attacker to exploit the vulnerability to inject malicious scripts or HTML code. BlackArmor NAS 220 storage server is prone to the following remote security vulnerabilities:
1. Multiple cross-site request forgery vulnerabilities
2. Multiple HTML-injection vulnerabilities
3. An arbitrary code-execution vulnerability
Attackers can exploit these issues to perform certain unauthorized actions, execute HTML and script code and steal cookie-based authentication credentials and execute arbitrary code. Other attacks are possible.
BlackArmor NAS 220 running firmware sg2000-2000.1331 is vulnerable; other versions may also be affected. It can provide layered protection, data increment and system backup and recovery for business-critical data. The vulnerability is caused by the admin/access_control_user_edit.php script not adequately filtering the 'fullname' parameter and the admin/network_workgroup_domain.php script not properly filtering the 'workname' parameter . # Exploit Title: Seagate BlackArmor NAS - Multiple Persistent Cross Site
Scripting Vulnerabilities
# Google Dork: N/A
# Date: 04-01-2014
# Exploit Author: Jeroen - IT Nerdbox
# Vendor Homepage: <http://www.seagate.com/> http://www.seagate.com/
# Software Link:
<http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/
>
http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/
# Version: sg2000-2000.1331
# Tested on: N/A
# CVE : CVE-2013-6923
#
## Description:
#
# When adding a user to the device, it is possible to enter a full name.
This input field does not
# sanitize its input and it is possible to enter any payload which will get
executed upon reload. The Work
Group name input
# field does not sanitize its input.
#
# This vulnerability was reported to Seagate in September 2013, they stated
that this will not be fixed.
#
## Proof of Concept #1:
#
# POST: http(s)://<url | ip>/admin/access_control_user_edit.php?id=2&lang=en
# Parameters:
#
# index = 2
# fullname = <script>alert(1);</script>
# submit = Submit
#
#
## Proof of Concept #2:
#
# POST: http(s)://<url |
ip>/admin/network_workgroup_domain.php?lang=en&gi=n003
# Parameter:
#
# workname = "><input onmouseover=prompt(1) >
| VAR-201401-0754 | No CVE | Multiple ASUS RT Routers Remote Security Bypass Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Multiple ASUS RT routers are prone to an unspecified security bypass vulnerability.
Attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions on the affected application. This may aid in further attacks.
ASUS RT-AC68U, RT-AC56U, RT-AC66U, RT-N66U, RT-N16 are vulnerable.
| VAR-201710-0032 | CVE-2013-6924 | Seagate BlackArmor NAS Command injection vulnerability in device firmware |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Seagate BlackArmor NAS devices with firmware sg2000-2000.1331 allow remote attackers to execute arbitrary commands via shell metacharacters in the ip parameter to backupmgt/getAlias.php. Seagate BlackArmor NAS The device firmware contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Seagate BlackArmor NAS is a network storage device. BlackArmor NAS 220 storage server is prone to the following remote security vulnerabilities:
1. Multiple cross-site request forgery vulnerabilities
2. Multiple HTML-injection vulnerabilities
3. An arbitrary code-execution vulnerability
Attackers can exploit these issues to perform certain unauthorized actions, execute HTML and script code and steal cookie-based authentication credentials and execute arbitrary code. Other attacks are possible.
BlackArmor NAS 220 running firmware sg2000-2000.1331 is vulnerable; other versions may also be affected. Seagate BlackArmor NAS is a network storage server of Seagate Corporation of the United States, which can provide layered protection, data increment and system backup and recovery for business-critical data
| VAR-201404-0755 | No CVE | Canon PIXMA MX722 Printer Information Disclosure Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Canon is a famous Canon printer manufacturer in Japan. An information disclosure vulnerability exists in Canon PIXMA MX722 Printer. The remote attacker is allowed to obtain the password information because the WPA2 password exposed by the device on the network is on the unprotected configuration page of the plaintext device. Canon PIXMA MX722 is prone to an information-disclosure vulnerability.
Remote attackers can exploit this issue to gain access to sensitive information that may aid in further attacks.
Canon PIXMA MX722 is vulnerable; other versions may also affected
| VAR-201505-0152 | CVE-2014-1900 | plural Y-Cam Vulnerability that bypasses authentication in camera firmware |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Y-Cam camera models SD range YCB003, YCK003, and YCW003; S range YCB004, YCK004, YCW004; EyeBall YCEB03; Bullet VGA YCBL03 and YCBLB3; Bullet HD 720 YCBLHD5; Y-cam Classic Range YCB002, YCK002, and YCW003; and Y-cam Original Range YCB001, YCW001, running firmware 4.30 and earlier, allow remote attackers to bypass authentication and obtain sensitive information via a leading "/./" in a request to en/account/accedit.asp. plural Y-Cam There is a vulnerability in the camera firmware that prevents authentication and obtains important information.By a third party "/./" Begins with en/account/accedit.asp Through the request to, authentication may be bypassed and important information may be obtained. Y-Cam camera is a wireless network security surveillance camera system launched by Y-cam. There are information disclosure vulnerabilities in Y-Cam's various products that allow remote attackers to authenticate and obtain sensitive information through a leading \"/ /\" to en/account/acceditasp request. Multiple Y-Cam Camera Models are prone to the following security vulnerabilities:
1. A directory-traversal vulnerability
2. Multiple denial-of-service vulnerabilities
3. Multiple HTML-injection vulnerabilities
An attacker can exploit these issues to perform unauthorized actions, bypass security restrictions, cause denial-of-service conditions, execute attacker-supplied HTML or JavaScript code in the context of the affected site, to steal cookie-based authentication credentials or gain access to sensitive information. Y-Cam camera models SD range YCB003 etc