VARIoT IoT vulnerabilities database

SQL injection vulnerability in the web framework in Cisco Unified Communications Domain Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCuh96567. Exploiting this issue could allow an authenticated attacker to compromise the affected application, access or modify data, or exploit latent vulnerabilities in the underlying database. This issue is tracked by Cisco Bug ID CSCuh96567. This component features scalable, distributed, and highly available enterprise Voice over IP call processing

The integrated web server on Siemens SCALANCE X-200 switches with firmware before 4.5.0 and X-200IRT switches with firmware before 5.1.0 does not properly enforce authentication requirements, which allows remote attackers to perform administrative actions via requests to the management interface. The Siemens Scalance X200 is an industrial Ethernet switch from Siemens. SCALANCE X-200 and X-200IRT series switches are prone to an authentication-bypass vulnerability. Successfully exploiting this issue may allow an attacker to bypass certain security restrictions and gain administrative access to the affected device. The following products are affected. SCALANCE X-200 running firmware versions prior to 4.5.0 SCALANCE X-200IRT running firmware versions prior to 5.1.0

The Tenda W309R Router WEB console does not have a correct COOKIE management mechanism, which allows an attacker to access the router device without providing a password. Tenda W309R is a wireless router product from China's Tenda. An authentication bypass vulnerability exists in the Tenda W309R router. An attacker could use this vulnerability to gain access to affected devices and sensitive information. There are vulnerabilities in Tenda W309R version 5.07.46, other versions may also be affected

Hitachi JP1 is a solution that monitors the execution of business and centrally manages system content such as OS and applications. Hitachi JP1 / Base has an unknown vulnerability in processing messages sent by some hosts, allowing remote attackers to use the vulnerability to execute arbitrary commands. Hitachi JP1/Base is prone to an unspecified arbitrary command-execution vulnerability. Local attacker can exploit this issue to execute arbitrary commands within the context of the vulnerable application

Hitachi JP1 is a solution that monitors the execution of business and centrally manages system content such as OS and applications. Hitachi JP1 / Automatic Job Management System is a set of job management systems from Hitachi, Japan. The system supports scheduling, job error notifications, and visualization of job health. A remote arbitrary command execution vulnerability exists in Hitachi JP1 / Automatic Job Management System. An attacker could use this vulnerability to execute arbitrary commands in the context of an affected application

The activate firmware command in the fabric-interconnect component in Cisco Unified Computing System (UCS) allows local users to gain privileges by embedding commands in an unspecified parameter, aka Bug ID CSCtq02600. Cisco Unified Computing System is prone to a local arbitrary command-execution vulnerability. A local attacker can exploit this issue to execute arbitrary commands on the Linux shell with root privileges. Successful exploits may completely compromise the affected device. This issue is being tracked by Cisco Bug ID CSCtq02600. The system integrates network, computing and virtualization resources into one platform by extensively adopting virtualization technology

ethanalyzer in the fabric-interconnect component in Cisco Unified Computing System (UCS) allows local users to gain privileges by embedding commands in an unspecified parameter, aka Bug ID CSCtq02686. Cisco Unified Computing System (UCS) Of fabric interconnect components ethanalyzer Contains a privileged vulnerability. A local attacker can exploit this issue to execute arbitrary commands with elevated privileges. Successful exploits may compromise the affected device. This issue is being tracked by Cisco Bug ID CSCtq02686. The system integrates network, computing and virtualization resources into one platform by extensively adopting virtualization technology. A security vulnerability exists in the 'ethanalyzer' command in the fabric-interconnect component of Cisco UCS due to the program not properly filtering user-submitted input

Absolute path traversal vulnerability in the image-download process in the fabric-interconnect component in Cisco Unified Computing System (UCS) allows local users to overwrite or delete arbitrary files via a full pathname in an image header, aka Bug ID CSCtq02706. Cisco Unified Computing System is prone to a directory-traversal vulnerability. Exploiting this issue will allow a local attacker to modify or delete arbitrary files on the filesystem. This issue is tracked by Cisco BugID CSCtq02706. The system integrates network, computing and virtualization resources into one platform by extensively adopting virtualization technology

The clear sshkey command in the fabric-interconnect component in Cisco Unified Computing System (UCS) allows local users to gain privileges by embedding commands in an unspecified parameter, aka Bug ID CSCtq86559. A local attacker can exploit this issue to execute arbitrary commands with root privileges. Successful exploits may compromise the affected device. This issue is being tracked by Cisco Bug ID CSCtq86559. Cisco Unified Computing System (UCS) is a unified computing system of Cisco (Cisco). The system integrates network, computing and virtualization resources into one platform by extensively adopting virtualization technology

run-script in the fabric-interconnect component in Cisco Unified Computing System (UCS) allows local users to gain privileges by embedding commands in an unspecified parameter, aka Bug ID CSCtq86560. Cisco Unified Computing System (UCS) Of fabric interconnect components run-script Contains a privileged vulnerability. A local attacker can exploit this issue to execute arbitrary commands with root privileges. Successful exploits may compromise the affected device. This issue being tracked by Cisco Bug ID CSCtq86560. The system integrates network, computing and virtualization resources into one platform by extensively adopting virtualization technology. A security vulnerability exists in the 'run-script' command in the fabric-interconnect component of Cisco UCS due to the program not properly filtering user-submitted input

The create certreq command in the fabric-interconnect component in Cisco Unified Computing System (UCS) allows local users to gain privileges by embedding commands in an unspecified parameter, aka Bug ID CSCtq86563. Cisco Unified Computing System is prone to a local command-injection vulnerability. A local attacker can exploit this issue to execute arbitrary commands with root privileges. Successful exploits may compromise the affected device. This issue being tracked by Cisco Bug ID CSCtq86563. The system integrates network, computing and virtualization resources into one platform by extensively adopting virtualization technology

The local file editor in the Baseboard Management Controller (BMC) in Cisco Unified Computing System (UCS) allows local users to gain privileges and modify arbitrary fabric-interconnect files, in the context of a vi process, via unspecified commands, aka Bug ID CSCtn06574. Cisco Unified Computing System is prone to a local arbitrary file-access vulnerability. Local attackers can exploit this issue to read or overwrite arbitrary files. This may lead to further attacks. This issue being tracked by Cisco Bug ID CSCtn06574. The system integrates network, computing and virtualization resources into one platform by extensively adopting virtualization technology

The Media Snapshot implementation on Cisco TelePresence Multipoint Switch (CTMS) devices allows remote authenticated users to cause a denial of service (device reload) by sending many Media Snapshot requests at the time of a meeting termination, aka Bug ID CSCuh44796. The Cisco TelePresence Multipoint Switch is a telepresence multipoint switch developed by Cisco. Successfully exploiting this issue allows remote attackers to cause a denial of service condition. This issue is being tracked by Cisco Bug ID CSCuh44796. The switch enables dispersed enterprises to conduct telepresence meetings across multiple locations and provides a means of switching between each location or a single screen

The local file editor in the fabric-interconnect component in Cisco Unified Computing System (UCS) allows local users to gain privileges, and read or modify arbitrary files, via unspecified key bindings, aka Bug ID CSCtn04521. This may lead to further attacks. This issue is tracked by Cisco Bug ID CSCtn04521. Cisco Unified Computing System (UCS) is a unified computing system of Cisco (Cisco). The system integrates network, computing and virtualization resources into one platform by extensively adopting virtualization technology

ASUS RT-N66U 'apply.cgi' has a cross-site request forgery that allows remote attackers to exploit vulnerabilities to build malicious URIs, to trick users into parsing, and to execute arbitrary commands in the target user context. ASUS RT-N66U is a wireless router product from ASUS. A cross-site request forgery vulnerability exists in ASUS RT-N66U. An unauthorized attacker could use this vulnerability to perform administrator actions to gain access to the affected device. There are vulnerabilities in ASUS RT-N66U 3.0.0.4.374_720. Other versions may also be affected

The D-Link DSL-2740B is a router device. D-Link DSL-2740B EU_1.00 has a cross-site request forgery vulnerability that allows an attacker to exploit a vulnerability to construct a malicious URI, to entice a user to resolve, and to perform malicious operations in the target user context, such as disabling or enabling a wireless MAC address filter, firewall Protection and so on.

The administrative web interface in Cisco Video Surveillance Operations Manager does not properly perform authentication, which allows remote attackers to watch video feeds via a crafted URL, aka Bug ID CSCtg72262. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. This issue is being tracked by Cisco Bug ID CSCtg72262. This solution can provide secure configuration and management for web portal video, media server instances, cameras, etc. in the IP network

Cross-site scripting (XSS) vulnerability in the Mobile Device Management (MDM) portal in Cisco Identity Services Engine (ISE) allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCui30266. Vendors have confirmed this vulnerability Bug ID CSCui30266 It is released as.By any third party through unspecified parameters Web Script or HTML May be inserted. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCui30266. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies

Cross-site scripting (XSS) vulnerability in an administration page in Cisco Identity Services Engine (ISE) allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCui30275. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCui30275. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies

QNAP Photo Station before firmware 4.0.3 build0912 allows remote attackers to list OS user accounts via a request to photo/p/api/list.php. QNAP Photo Station is a network storage device that can be used for image storage. QNAP Photo Station is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks. Versions prior to QNAP Photo Station 4.0.3 build0912 are vulnerable. QNAP Systems QNAP Photo Station is a web-based photo album application from QNAP Systems, which supports organizing and sharing photos and videos on the NAS via the Internet