VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-201312-0075 CVE-2013-3622 SuperMicro of X9 Run on generation motherboard IPMI Vulnerabilities that allow arbitrary code to be executed in firmware CVSS V2: 9.0
CVSS V3: -
Severity: HIGH
Buffer overflow in logout.cgi in the Intelligent Platform Management Interface (IPMI) with firmware before 3.15 (SMT_X9_315) on Supermicro X9 generation motherboards allows remote authenticated users to execute arbitrary code via the SID parameter. Supermicro IPMI is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Attackers may be able to execute arbitrary code with root privileges in the context of the affected firmware. Failed exploit attempts will likely result in denial-of-service conditions. Supermicro IPMI running firmware versions prior to SMT_X9_315 are vulnerable. Supermicro Intelligent Platform Management Interface (IPMI) is an IPMI card (Intelligent Platform Management Interface) of Supermicro, which can remotely control the system, such as remote booting, entering BIOS, etc
VAR-201311-0294 CVE-2013-5553 Cisco IOS Service disruption in (DoS) Vulnerabilities CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
Multiple memory leaks in Cisco IOS 15.1 before 15.1(4)M7 allow remote attackers to cause a denial of service (memory consumption or device reload) by sending a crafted SIP message over (1) IPv4 or (2) IPv6, aka Bug IDs CSCuc42558 and CSCug25383. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. The vulnerability is due to improper handling of specially crafted SIP messages. Cisco IOS is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected system to reload, resulting in a denial-of-service condition. This issue is being tracked by Cisco Bug ID CSCuc42558. The following releases are affected: Cisco IOS 15.1(4)GC, 15.1(4)GC1, 15.1(4)M4, 15.1(4)M5, 15.1(4)M6
VAR-201311-0298 CVE-2013-5558 Cisco TelePresence VX Clinical Assistant of WIL-A Module access vulnerability CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
The WIL-A module in Cisco TelePresence VX Clinical Assistant 1.2 before 1.21 changes the admin password to an empty password upon a reboot, which makes it easier for remote attackers to obtain access via the administrative interface, aka Bug ID CSCuj17238. Vendors have confirmed this vulnerability Bug ID CSCuj17238 It is released as.A third party may gain access through the administration interface. Exploiting this issue could allow an attacker to bypass certain security restrictions and perform unauthorized actions on the device running the vulnerable application. This issue is being tracked by Cisco Bug ID CSCuj17238. The system can provide remote diagnosis, virtual nursing, medical education and other functions through high-definition video. The vulnerability is caused by an error in the program's handling of administrative passwords. When the system is restarted, the software resets the admin password to an empty password. An attacker could exploit this vulnerability to gain administrative privileges by logging into the management interface
VAR-201311-0305 CVE-2013-5565 Cisco IOS XR of OSPFv3 Service disruption in functionality (DoS) Vulnerabilities CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The OSPFv3 functionality in Cisco IOS XR 5.1 allows remote attackers to cause a denial of service (process crash) via a malformed LSA Type-1 packet, aka Bug ID CSCuj82176. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. An attacker can exploit this issue to cause the OSPFv3 process to crash on an affected device, resulting in a denial-of-service condition. This issue is being tracked by Cisco Bug IDs CSCuj82176. The vulnerability is caused by the program not correctly parsing LSA Type-1 packets
VAR-201311-0306 CVE-2013-5566 Cisco MDS 9000 Runs on the device Cisco NX-OS Service disruption in (DoS) Vulnerabilities CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Cisco NX-OS 5.0 and earlier on MDS 9000 devices allows remote attackers to cause a denial of service (supervisor CPU consumption) via Authentication Header (AH) authentication in a Virtual Router Redundancy Protocol (VRRP) frame, aka Bug ID CSCte27874. Cisco MDS 9000 Runs on the device Cisco NX-OS There is a service disruption ( Supervisor CPU Resource consumption ) There are vulnerabilities that are put into a state. Cisco MDS 9000 NX-OS Software is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause the device to consume excessive CPU resources, resulting in denial-of-service conditions. This issue is being tracked by Cisco bug ID CSCte27874. Cisco NX-OS is a data center-oriented operating system developed by Cisco. The vulnerability is caused by the program not correctly handling Virtual Router Redundancy Protocol (VRRP) packets
VAR-201312-0076 CVE-2013-3623 SuperMicro of X9 Run on generation motherboard IPMI Stack-based buffer overflow vulnerability in FW firmware CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
Multiple stack-based buffer overflows in cgi/close_window.cgi in the web interface in the Intelligent Platform Management Interface (IPMI) with firmware before 3.15 (SMT_X9_315) on Supermicro X9 generation motherboards allow remote attackers to execute arbitrary code via the (1) sess_sid or (2) ACT parameter. Supermicro IPMI is prone to multiple buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data. Attackers may be able to execute arbitrary code in the context of the affected firmware. Failed exploit attempts will likely result in denial-of-service conditions. Supermicro IPMI running firmware version SMT_X9_226 is vulnerable. Supermicro Intelligent Platform Management Interface (IPMI) is an IPMI card (Intelligent Platform Management Interface) of Supermicro, which can remotely control the system, such as remote booting, entering BIOS, etc. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'uri' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report def initialize(info = {}) super(update_info(info, 'Name' => 'Supermicro Onboard IPMI CGI Vulnerability Scanner', 'Description' => %q{ This module checks for known vulnerabilities in the CGI applications of Supermicro Onboard IPMI controllers. These issues currently include several unauthenticated buffer overflows in the login.cgi and close_window.cgi components. }, 'Author' => [ 'hdm', # Discovery and analysis 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-3621' ], [ 'CVE', '2013-3623' ], [ 'URL', 'https://www.rapid7.com/blog/post/2013/11/06/supermicro-ipmi-firmware-vulnerabilities/'] ], 'DisclosureDate' => '2013-11-06')) end def is_supermicro? res = send_request_cgi( { "uri" => "/", "method" => "GET" }) if res and res.code == 200 and res.body.to_s =~ /ATEN International Co Ltd\./ return true else return false end end def send_close_window_request(sess) res = send_request_cgi({ 'method' => 'POST', 'uri' => "/cgi/close_window.cgi", 'encode_params' => false, 'vars_post' => { 'sess_sid' => sess } }) return res end def check_close_window safe_check = Rex::Text.rand_text_alpha(20) trigger_check = Rex::Text.rand_text_alpha(132) res = send_close_window_request(safe_check) unless res and res.code == 200 and res.body.to_s =~ /Can't find action/ return false end res = send_close_window_request(trigger_check) unless res and res.code == 500 return false end return true end def send_login_request(name) res = send_request_cgi({ 'method' => 'POST', 'uri' => "/cgi/login.cgi", 'encode_params' => false, 'vars_post' => { 'name' => name, 'pwd' => Rex::Text.rand_text_alpha(4) } }) return res end def check_login safe_check = Rex::Text.rand_text_alpha(20) trigger_check = Rex::Text.rand_text_alpha(300) res = send_login_request(safe_check) unless res and res.code == 200 and res.body.to_s =~ /ATEN International Co Ltd\./ and res.body.to_s =~ /top\.location\.href = location\.href/ return false end res = send_login_request(trigger_check) unless res and res.code == 500 return false end return true end def run_host(ip) vprint_status("Checking if it's a Supermicro IPMI web interface...") if is_supermicro? vprint_good("Supermicro IPMI web interface found") else vprint_error("Supermicro IPMI web interface not found") return end vprint_status("Checking CVE-2013-3621 (login.gi Buffer Overflow) ...") result = check_login if result print_good("Vulnerable to CVE-2013-3621 (login.cgi Buffer Overflow)") report_vuln({ :host => rhost, :port => rport, :proto => 'tcp', :name => "Supermicro Onboard IPMI login.cgi Buffer Overflow", :refs => self.references.select do |ref| ref.ctx_val == "2013-3621" end }) end vprint_status("Checking CVE-2013-3623 (close_window.gi Buffer Overflow) ...") result = check_close_window if result print_good("Vulnerable to CVE-2013-3623 (close_window.cgi Buffer Overflow)") report_vuln({ :host => rhost, :port => rport, :proto => 'tcp', :name => "Supermicro Onboard IPMI close_window.cgi Buffer Overflow", :refs => self.references.select { |ref| ref.ctx_val == "2013-3623" } }) end end end
VAR-201912-1601 CVE-2013-4985 Vivotek IP Camera Vulnerable to unauthorized authentication CVSS V2: 5.0
CVSS V3: 7.5
Severity: HIGH
Multiple Vivotek IP Cameras remote authentication bypass that could allow access to the video stream. Vivotek IP Camera Contains an incorrect authentication vulnerability.Information may be obtained. Vivotek IP cameras are webcam devices. An attacker can exploit this issue to bypass the authentication mechanism and gain unauthorized access to the restricted functionality of the device
VAR-201311-0515 No CVE Netgear WNDR3700 Security Restriction Bypass Vulnerability CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
The Netgear WNDR3700 is a wireless router product. The NetGear WNDR3700 has an error in the web interface when processing the BRS_02_genieHelp.html request. Successful use can bypass certain security restrictions.
VAR-201311-0302 CVE-2013-5562 Cisco Prime Central for HCS of ITM Web Service disruption at the server (DoS) Vulnerabilities CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
The ITM web server in Cisco Prime Central for Hosted Collaboration Solution (HCS) allows remote attackers to cause a denial of service (temporary HTTP service outage) via a flood of TCP packets, aka Bug ID CSCuh36313. Attackers can exploit this issue to crash the affected application, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCuh36313. The platform provides functions such as secure access authentication and real-time fault analysis
VAR-201311-0303 CVE-2013-5563 Cisco Security Monitoring, Analysis and Response System of Query/NewQueryResult.jsp Vulnerable to cross-site scripting CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Cross-site scripting (XSS) vulnerability in Query/NewQueryResult.jsp in Cisco Security Monitoring, Analysis and Response System (CS-MARS) allows remote attackers to inject arbitrary web script or HTML via the isnowLatency parameter, aka Bug ID CSCul16173. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. These issues are being tracked by Cisco Bug ID CSCul16173. The system combines security event monitoring with correlation rules, factor analysis, abnormal traffic detection and other functions to help accurately identify and eliminate network attacks
VAR-201311-0299 CVE-2013-5559 Cisco AnyConnect Secure Mobility Client of VPNAPI COM Module buffer overflow vulnerability CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
Buffer overflow in the Active Template Library (ATL) framework in the VPNAPI COM module in Cisco AnyConnect Secure Mobility Client 2.x allows user-assisted remote attackers to execute arbitrary code via a crafted HTML document, aka Bug ID CSCuj58139. Vendors have confirmed this vulnerability Bug ID CSCuj58139 It is released as.Crafted by attackers HTML Arbitrary code may be executed through the documentation. Attackers can exploit this issue to execute arbitrary commands with elevated privileges. Failed exploit attempts will result in denial-of-service conditions. Due to the nature of this issue, arbitrary code-execution may be possible; however this has not been confirmed. This issue is being tracked by Cisco Bug ID CSCuj58139. Cisco AnyConnect Secure Mobility Client is a Cisco (Cisco) secure mobile client that can securely access networks and applications through any device
VAR-201311-0301 CVE-2013-5561 Cisco ASA CX Remote Safe Search Policy Security Bypass Vulnerability CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
The Safe Search enforcement feature in Cisco Adaptive Security Appliance (ASA) CX Context-Aware Security Software does not properly perform filtering, which allows remote attackers to bypass intended policy restrictions via unspecified vectors, aka Bug ID CSCui94622. Vendors have confirmed this vulnerability Bug ID CSCui94622 It is released as.Third parties may be able to bypass policy restrictions. Cisco ASA CX is prone to a remote security-bypass vulnerability. Successfully exploiting this issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions. The vulnerability is caused by the program not performing filtering operations correctly
VAR-201311-0304 CVE-2013-5564 Cisco Prime Central for Hosted Collaboration Solution of Impact Service disruption at the server (DoS) Vulnerabilities CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
The Java process in the Impact server in Cisco Prime Central for Hosted Collaboration Solution (HCS) allows remote attackers to cause a denial of service (process crash) via a flood of TCP packets, aka Bug ID CSCug57345. Attackers can exploit this issue to crash the Java process, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCug57345. The platform provides functions such as secure access authentication and real-time fault analysis
VAR-201311-0362 CVE-2013-6816 SAP NetWeaver of JavaDumpService and DataCollector Servlet cross-site scripting vulnerability CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Multiple cross-site scripting (XSS) vulnerabilities in the (1) JavaDumpService and (2) DataCollector servlets in SAP NetWeaver allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Since some unknown input related to the JavaDumpService servlet and the DataCollector servlet is not properly filtered before being returned to the user, the attacker can exploit the vulnerability to execute arbitrary HTML and script code in the user's browser session of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks
VAR-201311-0360 CVE-2013-6814 SAP NetWeaver SAP Portal URI Redirection Vulnerability CVSS V2: 5.8
CVSS V3: -
Severity: MEDIUM
The J2EE Engine in SAP NetWeaver 6.40, 7.02, and earlier allows remote attackers to redirect users to arbitrary web sites, conduct phishing attacks, and obtain sensitive information (cookies and SAPPASSPORT) via unspecified vectors. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. There is a URI redirection vulnerability in SAP NetWeaver. SAP is prone to an open-redirection weakness because the application fails to properly sanitize user-supplied input. An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. Other attacks are possible. SAP NetWeaver J2EE 6.40 and 7.02 are vulnerable
VAR-202002-0570 CVE-2013-3591 vTiger CRM Vulnerability in unlimited upload of dangerous types of files in

Related entries in the VARIoT exploits database: VAR-E-201310-0073
CVSS V2: 6.5
CVSS V3: 8.8
Severity: HIGH
vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability. vTiger CRM Exists in a vulnerability related to unlimited upload of dangerous types of files.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. vTiger CRM 5.3.0 and 5.4.0 are vulnerable; other versions may also be affected. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information
VAR-201310-0651 No CVE Multiple Cross-Site Request Forgery Vulnerabilities in UNICORN WB-3300NR Router CVSS V2: 3.5
CVSS V3: -
Severity: LOW
UNICORN WB-3300NR Router Management Page has multiple cross-site request forgery vulnerabilities, allowing remote attackers to build malicious URIs, enticing users to resolve, and performing arbitrary operations in the target user context, such as resetting factory settings, changing DNS settings, and obtaining WPA passwords. UNICORN WB-3300NR Router is a wireless router product from UNICORN in Korea. A cross-site request forgery vulnerability exists in the UNICORN WB-3300NR Router, which originates from a program that does not properly filter HTTP requests. A remote attacker could use this vulnerability to perform unauthorized operations and take control of an affected device. This may aid in other attacks
VAR-201311-0394 CVE-2013-6869 SAP NetWeaver of SRTT_GET_COUNT_BEFORE_KEY_RFC In function SQL Injection vulnerability CVSS V2: 7.5
CVSS V3: -
Severity: HIGH
SQL injection vulnerability in the SRTT_GET_COUNT_BEFORE_KEY_RFC function in SAP NetWeaver 7.30 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. SAP NetWeaver is a set of service-oriented integrated application platform of German SAP company. The platform provides a development and runtime environment for SAP applications. The vulnerability stems from insufficient filtering of user-submitted input before the program constructs SQL query statements. Attackers can use this vulnerability to steal cookie-based authentication, control applications, access or modify data, or exploit potential vulnerabilities in the underlying database. SAP NetWeaver 7.30 is vulnerable; other versions may also be affected
VAR-201311-0361 CVE-2013-6815 SAP NetWeaver of ABAP Service interruption in application server (DoS) Vulnerabilities CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
The SHSTI_UPLOAD_XML function in the Application Server for ABAP (AS ABAP) in SAP NetWeaver 7.31 and earlier allows remote attackers to cause a denial of service via unspecified vectors, related to an XML External Entity (XXE) issue. This case XML External entity (XXE) Vulnerability related to the problem.Service disruption by a third party (DoS) There is a possibility of being put into a state. Exploiting these issues may allow a remote attacker to bypass certain security restrictions and perform unauthorized actions or cause denial-of-service conditions. This may lead to further attacks
VAR-201310-0804 No CVE NETGEAR WNDR3700 'sprintf()' function special host string buffer overflow vulnerability CVSS V2: 7.5
CVSS V3: -
Severity: HIGH
The Netgear WNDR3700 is a router device. The Netgear WNDR3700 Router sprintf() function has a buffer overflow when processing a specially crafted host string, allowing a remote attacker to exploit a vulnerability to submit a specially crafted request, causing the application to crash or possibly execute arbitrary code.