VARIoT IoT vulnerabilities database

A stored cross-site scripting (XSS) vulnerability in the auth_settings component of FiberHome AN5506-02-B vRP2521 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the sncfg_loid text field.

A vulnerability has been identified in RUGGEDCOM ROS RMC8388 (All versions < V5.6.0), RUGGEDCOM ROS RS416Pv2 (All versions < V5.6.0), RUGGEDCOM ROS RS416v2 (All versions < V5.6.0), RUGGEDCOM ROS RS900 (32M) (All versions < V5.6.0), RUGGEDCOM ROS RS900G (32M) (All versions < V5.6.0), RUGGEDCOM ROS RSG2100 (32M) (All versions < V5.6.0), RUGGEDCOM ROS RSG2288 (All versions < V5.6.0), RUGGEDCOM ROS RSG2300 (All versions < V5.6.0), RUGGEDCOM ROS RSG2300P (All versions < V5.6.0), RUGGEDCOM ROS RSG2488 (All versions < V5.6.0), RUGGEDCOM ROS RSG907R (All versions < V5.6.0), RUGGEDCOM ROS RSG908C (All versions < V5.6.0), RUGGEDCOM ROS RSG909R (All versions < V5.6.0), RUGGEDCOM ROS RSG910C (All versions < V5.6.0), RUGGEDCOM ROS RSG920P (All versions < V5.6.0), RUGGEDCOM ROS RSL910 (All versions < v5.6.0), RUGGEDCOM ROS RST2228 (All versions < v5.6.0), RUGGEDCOM ROS RST2228P (All versions < V5.6.0), RUGGEDCOM ROS RST916C (All versions < v5.6.0), RUGGEDCOM ROS RST916P (All versions < v5.6.0). Affected devices improperly handle partial HTTP requests which makes them vulnerable to slowloris attacks. This could allow a remote attacker to create a denial of service condition that persists until the attack ends.

.NET Core and Visual Studio Denial of Service Vulnerability. ========================================================================== Ubuntu Security Notice USN-5609-1 September 13, 2022 dotnet6 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS Summary: .NET 6 could be made to crash if it parsed a specially crafted file. Software Description: - dotnet6: dotNET CLI tools and runtime Details: Graham Esau discovered that .NET 6 incorrectly parsed certain payloads during model binding. An attacker could possibly use this issue to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: aspnetcore-runtime-6.0 6.0.109-0ubuntu1~22.04.1 dotnet-host 6.0.109-0ubuntu1~22.04.1 dotnet-hostfxr-6.0 6.0.109-0ubuntu1~22.04.1 dotnet-runtime-6.0 6.0.109-0ubuntu1~22.04.1 dotnet-sdk-6.0 6.0.109-0ubuntu1~22.04.1 dotnet6 6.0.109-0ubuntu1~22.04.1 In general, a standard system update will make all the necessary changes. A restart may be required after the update if any affected files are being used. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: .NET 6.0 on RHEL 7 security and bugfix update Advisory ID: RHSA-2022:6520-01 Product: .NET Core on Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:6520 Issue date: 2022-09-14 CVE Names: CVE-2022-38013 ==================================================================== 1. Summary: An update for .NET 6.0 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: .NET Core on Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 .NET Core on Red Hat Enterprise Linux Server (v. 7) - x86_64 .NET Core on Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.109 and .NET Runtime 6.0.9. Security Fix(es): * dotnet: DenialOfService - ASP.NET Core MVC vulnerable to stack overflow via ModelStateDictionary recursion. (CVE-2022-38013) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2125124 - CVE-2022-38013 dotnet: DenialOfService - ASP.NET Core MVC vulnerable to stack overflow via ModelStateDictionary recursion. 6. Package List: .NET Core on Red Hat Enterprise Linux ComputeNode (v. 7): Source: rh-dotnet60-dotnet-6.0.109-1.el7_9.src.rpm x86_64: rh-dotnet60-aspnetcore-runtime-6.0-6.0.9-1.el7_9.x86_64.rpm rh-dotnet60-aspnetcore-targeting-pack-6.0-6.0.9-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-6.0.109-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-apphost-pack-6.0-6.0.9-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-debuginfo-6.0.109-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-host-6.0.9-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-hostfxr-6.0-6.0.9-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-runtime-6.0-6.0.9-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-sdk-6.0-6.0.109-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-sdk-6.0-source-built-artifacts-6.0.109-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-targeting-pack-6.0-6.0.9-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-templates-6.0-6.0.109-1.el7_9.x86_64.rpm rh-dotnet60-netstandard-targeting-pack-2.1-6.0.109-1.el7_9.x86_64.rpm .NET Core on Red Hat Enterprise Linux Server (v. 7): Source: rh-dotnet60-dotnet-6.0.109-1.el7_9.src.rpm x86_64: rh-dotnet60-aspnetcore-runtime-6.0-6.0.9-1.el7_9.x86_64.rpm rh-dotnet60-aspnetcore-targeting-pack-6.0-6.0.9-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-6.0.109-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-apphost-pack-6.0-6.0.9-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-debuginfo-6.0.109-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-host-6.0.9-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-hostfxr-6.0-6.0.9-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-runtime-6.0-6.0.9-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-sdk-6.0-6.0.109-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-sdk-6.0-source-built-artifacts-6.0.109-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-targeting-pack-6.0-6.0.9-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-templates-6.0-6.0.109-1.el7_9.x86_64.rpm rh-dotnet60-netstandard-targeting-pack-2.1-6.0.109-1.el7_9.x86_64.rpm .NET Core on Red Hat Enterprise Linux Workstation (v. 7): Source: rh-dotnet60-dotnet-6.0.109-1.el7_9.src.rpm x86_64: rh-dotnet60-aspnetcore-runtime-6.0-6.0.9-1.el7_9.x86_64.rpm rh-dotnet60-aspnetcore-targeting-pack-6.0-6.0.9-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-6.0.109-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-apphost-pack-6.0-6.0.9-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-debuginfo-6.0.109-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-host-6.0.9-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-hostfxr-6.0-6.0.9-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-runtime-6.0-6.0.9-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-sdk-6.0-6.0.109-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-sdk-6.0-source-built-artifacts-6.0.109-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-targeting-pack-6.0-6.0.9-1.el7_9.x86_64.rpm rh-dotnet60-dotnet-templates-6.0-6.0.109-1.el7_9.x86_64.rpm rh-dotnet60-netstandard-targeting-pack-2.1-6.0.109-1.el7_9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-38013 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYyInv9zjgjWX9erEAQhEug/+MGAj1xrvbqq9vXQuWFCnKNGFZox0XF9f mZBPH4fdktB0JGhvSc6zEZ9HzhwGGXWOsC6unQwlAxJwG5tHQ+ocyeUmDR5DwSNy scx7DFZQj0tHCo8q+XF7noyu5fvdOzUBeQsqUUrQQb9PsuwPtNIdtTV7Rmm0YRox xzLdtGqmmj7/Jvlry7hc9dFVJ9gnQXGHP2gWsJLWNLB+Xp1hD9iAdHyY48O/9z/H Zh05iBlxLCPeQcs0XJ9UuaIs9TVyGlCnQqVh2fdbMsDokFlwf4BppyV3fFDlYILl W7Iru5k8sSgskYxfhvedYJLYVON9/CWnpHE4RmusQqGvLM1aLX6oK5oNTWfcQ1jt rb055kapyXbGF5b4LcokE+CMY3BMC7ynxxYO9TBFrn+Ko7qP67NUVRUZReRZ0Ue5 axzUnHAZz6POpgpqwK98DF/janKj4wcnHUoCbJjgIo+JxZkgjay4umt+DAFetkfF Gm9LAxGclHlwTMfJa5nmSbuYfRrddLJ8+ENvctoNTC2g7DDUUinIOimaHu6xGFQH sTBB5+7lLFeq55EHxiT0JAnT5dIgYiexwtujxZSa4tvYal3ubQQBJ31Lp7b6BtD2 +crq7IgSjQlKhxVCv6AIBVdZriB4VBz9a/7lcGe8KPaZvWt/AEA9kPDZXUOUV0gU kfEWkmIv1MQ=RwCJ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . 9) - aarch64, s390x, x86_64 3

Cross site Scripting (XSS) in ThingsBoard IoT Platform through 3.3.4.1 via a crafted value being sent to the audit logs. ThingsBoard IoT Platform is an open source IoT platform for data collection, processing, visualization and device management from ThingsBoard

An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is then downloaded and viewed by other users resulting in a stored Cross-Site-Scripting attack. This could lead to information disclosure including stealing authentication information and impersonating the affected user.

An attacker with no prior authentication could craft and send malicious script to SAP GUI for HTML within Fiori Launchpad, resulting in reflected cross-site scripting attack. This could lead to stealing session information and impersonating the affected user.

A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could cause unauthorized access in read and write mode to the controller when communicating over Modbus. Affected Products: EcoStruxure Control Expert Including all Unity Pro versions (former name of EcoStruxure Control Expert) (V15.0 SP1 and prior), EcoStruxure Process Expert, Including all versions of EcoStruxure Hybrid DCS (former name of EcoStruxure Process Expert) (V2021 and prior), Modicon M340 CPU (part numbers BMXP34*) (V3.40 and prior), Modicon M580 CPU (part numbers BMEP* and BMEH*) (V3.20 and prior).

The web configuration interface of the TP-Link M7350 V3 with firmware version 190531 is affected by a pre-authentication command injection vulnerability.

Improper restriction of broadcasting Intent in SaWebViewRelayActivity of?Waterplugin prior to version 2.2.11.22081151 allows attacker to access the file without permission

Improper restriction of broadcasting Intent in GalaxyStoreBridgePageLinker of?Waterplugin prior to version 2.2.11.22081151 leaks MAC address of the connected Bluetooth device

Improper Handling of Insufficient Permissions or Privileges vulnerability in Waterplugin prior to 2.2.11.22040751 allows attacker to access device IMEI and Serial number

Missing protection mechanism for alternate hardware interface in SmaCam CS-QR10 all versions and SmaCam Night Vision CS-QR20 all versions allows an attacker to execute an arbitrary OS command by having the product connect to the product's specific serial connection

Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests

In Tenda G3 US_G3V3.0br_V15.11.0.6(7663)_EN_TDE, there is a buffer overflow vulnerability caused by sprintf in function in the httpd binary.

In Tenda G3 US_G3V3.0br_V15.11.0.6(7663)_EN_TDE, there is a buffer overflow vulnerability caused by strcpy in function 0x869f4 in the httpd binary.

A vulnerability in the IPSec VPN Server authentication functionality of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to bypass authentication controls and access the IPSec VPN network. This vulnerability is due to the improper implementation of the password validation algorithm. An attacker could exploit this vulnerability by logging in to the VPN from an affected device with crafted credentials. A successful exploit could allow the attacker to bypass authentication and access the IPSec VPN network. The attacker may obtain privileges that are the same level as an administrative user, depending on the crafted credentials that are used. Cisco has not released software updates that address this vulnerability.

In Tenda G3 US_G3V3.0br_V15.11.0.6(7663)_EN_TDE, in httpd binary, the addDhcpRule function has a buffer overflow caused by sscanf.

Buffer Overflow in Netgear R8000 Router with firmware v1.0.4.56 allows remote attackers to execute arbitrary code or cause a denial-of-service by sending a crafted POST to '/bd_genie_create_account.cgi' with a sufficiently long parameter 'register_country'.

TOTOLINK A3002R TOTOLINK-A3002R-He-V1.1.1-B20200824.0128 is vulnerable to Buffer Overflow via /bin/boa.

In TOTOLINK A860R V4.1.2cu.5182_B20201027 there is a hard coded password for root in /etc/shadow.sample.