VARIoT IoT vulnerabilities database

Hitron CODA-5310 has hard-coded encryption/decryption keys in the program code. A remote attacker authenticated as an administrator can decrypt system files using the hard-coded keys for file access, modification, and cause service disruption. Hitron Technologies Inc. of coda-5310 A vulnerability exists in the firmware regarding the use of hardcoded credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

It is identified a vulnerability of insufficient authentication in the system configuration interface of Hitron Technologies CODA-5310. An unauthorized remote attacker can exploit this vulnerability to access system configuration interface, resulting in performing arbitrary system operation or disrupt service

Tenda AC8V4.0-V16.03.34.06 was discovered to contain a stack overflow via the shareSpeed parameter in the fromSetWifiGusetBasic function. Shenzhen Tenda Technology Co.,Ltd. of AC8 An out-of-bounds write vulnerability exists in firmware.Service operation interruption (DoS) It may be in a state

ASUS RT-AC86U’s specific cgi function has a stack-based buffer overflow vulnerability due to insufficient validation for network packet header length. A remote attacker with administrator privileges can exploit this vulnerability to execute arbitrary system commands, disrupt system or terminate service. ASUS RT-AC86U is a dual-band Wi-Fi router made by ASUS in China. ASUS RT-AC86U has a buffer overflow vulnerability. The vulnerability is caused by a boundary error when processing untrusted input

Tenda AC8V4.0-V16.03.34.06 was discovered to contain a stack overflow via the deviceId parameter in the saveParentControlInfo function. Shenzhen Tenda Technology Co.,Ltd. of AC8 An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. There is a buffer overflow vulnerability in the Tenda AC8 deviceId parameter, which can be exploited by an attacker to overflow the buffer and execute arbitrary code on the system, or cause a denial of service

Hitron CODA-5310 has insufficient filtering for specific parameters in the connection test function. A remote attacker authenticated as an administrator, can use the management page to perform command injection attacks, to execute arbitrary system command, manipulate system or disrupt service. Hitron Technologies Inc. of coda-5310 The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Hitron Technologies CODA-5310 has a remote command execution vulnerability

Tenda AC8V4.0-V16.03.34.06 was discovered to contain a stack overflow via the time parameter in the get_parentControl_list_Info function. Shenzhen Tenda Technology Co.,Ltd. of AC8 An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Tenda AC8 is a dual-band gigabit wireless router designed for homes with fiber optic connections up to 1000 Mbps. It supports dual-band concurrent transmission rates of up to 1167 Mbps and is equipped with full gigabit ports (one WAN port and three LAN ports), meeting broadband access needs between 100 and 1000 Mbps. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service

ASUS RT-AC86U does not filter special characters for parameters in specific web URLs. A remote attacker with normal user privileges can exploit this vulnerability to perform command injection attack to execute arbitrary system commands, disrupt system or terminate service. ASUS RT-AC86U is a dual-band Wi-Fi router made by ASUS in China

Dell SCG 5.14 contains an information disclosure vulnerability during the SRS to SCG upgrade path. A remote low privileged malicious user could potentially exploit this vulnerability to retrieve the plain text

Draytek Vigor Routers firmware versions below 3.9.6/4.2.4, Access Points firmware versions below v1.4.0, Switches firmware versions below 2.6.7, and Myvigor firmware versions below 2.3.2 were discovered to use hardcoded encryption keys which allows attackers to bind any affected device to their own account. Attackers are then able to create WCF and DrayDDNS licenses and synchronize them from the website

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the AddMacList interface at /goform/aspForm. H3C of Magic R300-2100M An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. H3C Magic R300 is a wireless router produced by China H3C (H3C). An authenticated remote attacker could exploit this vulnerability to cause a buffer overflow and execute arbitrary code on the system

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the UpdateWanParams interface at /goform/aspForm. H3C of Magic R300-2100M An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. H3C Magic R300 is a wireless router produced by China H3C (H3C). An attacker could exploit this vulnerability to cause a buffer overflow and execute arbitrary code on the system

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the Edit_BasicSSID interface at /goform/aspForm. H3C of Magic R300-2100M An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. H3C Magic R300 is a wireless router produced by China H3C (H3C). An attacker could exploit this vulnerability to cause a buffer overflow and execute arbitrary code on the system

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the DelSTList interface at /goform/aspForm. H3C of Magic R300-2100M An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. H3C Magic R300 is a wireless router produced by China H3C (H3C). An attacker could exploit this vulnerability to cause a buffer overflow and execute arbitrary code on the system

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the AddWlanMacList interface at /goform/aspForm. H3C of Magic R300-2100M An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. H3C Magic R300 is a wireless router produced by China H3C (H3C). An attacker could exploit this vulnerability to cause a buffer overflow and execute arbitrary code on the system

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm. H3C of Magic R300-2100M An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. H3C Magic R300 is a wireless router produced by China H3C (H3C). An attacker could exploit this vulnerability to cause a buffer overflow and execute arbitrary code on the system

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the EditvsList interface at /goform/aspForm. H3C of Magic R300-2100M An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. H3C Magic R300 is a wireless router produced by China H3C (H3C). An attacker could exploit this vulnerability to cause a buffer overflow and execute arbitrary code on the system

Fatek Automation FvDesigner FPJ File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Fatek Automation FvDesigner. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of FPJ files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18173. FATEK Automation Corporation of FvDesigner Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Fatek Automation FvDesigner FPJ File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Fatek Automation FvDesigner. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of FPJ files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18168. FATEK Automation Corporation of FvDesigner Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setOpModeCfg. This vulnerability allows an attacker to execute arbitrary commands through the "hostName" parameter. TOTOLINK of X5000R Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state