VARIoT IoT vulnerabilities database
| VAR-202505-3817 | CVE-2025-3945 | Tridium of Niagara and Niagara Enterprise Security Vulnerability in inserting or changing arguments in |
CVSS V2: - CVSS V3: 7.2 Severity: HIGH |
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Tridium Niagara Framework on QNX, Tridium Niagara Enterprise Security on QNX allows Command Delimiters. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. (DoS) It may be in a state
| VAR-202505-3461 | CVE-2025-3944 | Tridium of Niagara and Niagara Enterprise Security Vulnerability in improper permission assignment for critical resources in |
CVSS V2: - CVSS V3: 7.2 Severity: HIGH |
Incorrect Permission Assignment for Critical Resource vulnerability in Tridium Niagara Framework on QNX, Tridium Niagara Enterprise Security on QNX allows File Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. (DoS) It may be in a state
| VAR-202505-3074 | CVE-2025-3943 | Tridium of Niagara and Niagara Enterprise Security Vulnerability in |
CVSS V2: - CVSS V3: 4.1 Severity: MEDIUM |
Use of GET Request Method With Sensitive Query Strings vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Parameter Injection. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11
| VAR-202505-2874 | CVE-2025-3942 | Tridium of Niagara and Niagara Enterprise Security Encoding and escaping vulnerabilities in |
CVSS V2: - CVSS V3: 4.3 Severity: MEDIUM |
Improper Output Neutralization for Logs vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11
| VAR-202505-3274 | CVE-2025-3941 | Tridium of Niagara and Niagara Enterprise Security Incorrectly resolved name and reference usage vulnerabilities in |
CVSS V2: - CVSS V3: 5.4 Severity: MEDIUM |
Improper Handling of Windows ::DATA Alternate Data Stream vulnerability in Tridium Niagara Framework on Windows, Tridium Niagara Enterprise Security on Windows allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. Tridium of Niagara and Niagara Enterprise Security There is a vulnerability in the use of incorrectly resolved names and references.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
| VAR-202505-3992 | CVE-2025-3940 | Tridium of Niagara and Niagara Enterprise Security Vulnerability in |
CVSS V2: - CVSS V3: 5.3 Severity: MEDIUM |
Improper Use of Validation Framework vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. (DoS) It may be in a state
| VAR-202505-3275 | CVE-2025-3939 | Tridium of Niagara and Niagara Enterprise Security Vulnerability regarding observable inconsistencies in |
CVSS V2: - CVSS V3: 5.3 Severity: MEDIUM |
Observable Response Discrepancy vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11
| VAR-202505-2532 | CVE-2025-3938 | Tridium of Niagara and Niagara Enterprise Security Vulnerability in using cryptographic algorithms in |
CVSS V2: - CVSS V3: 6.8 Severity: MEDIUM |
Missing Cryptographic Step vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. (DoS) It may be in a state
| VAR-202505-2694 | CVE-2025-3937 | Tridium of Niagara and Niagara Enterprise Security Vulnerability related to the use of insufficiently strong password hashes in |
CVSS V2: - CVSS V3: 7.7 Severity: HIGH |
Use of Password Hash With Insufficient Computational Effort vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. (DoS) It may be in a state
| VAR-202505-3468 | CVE-2025-3936 | Tridium of Niagara and Niagara Enterprise Security Vulnerability in improper permission assignment for critical resources in |
CVSS V2: - CVSS V3: 6.5 Severity: MEDIUM |
Incorrect Permission Assignment for Critical Resource vulnerability in Tridium Niagara Framework on Windows, Tridium Niagara Enterprise Security on Windows allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. (DoS) It may be in a state
| VAR-202505-3920 | No CVE | H3C Magic R3010 Gigabit Dual-Band Wi-Fi 6 Router from H3C Technologies Co., Ltd. Has a Logic Defect Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
H3C Technologies Co., Ltd. is a global leader in digital solutions.
H3C Magic R3010 Gigabit Dual-Band Wi-Fi 6 Router of H3C Technologies Co., Ltd. has a logic flaw vulnerability that can be exploited by attackers to gain control of the server.
| VAR-202505-3051 | CVE-2025-45753 | Vtiger of Vtiger CRM Code injection vulnerability in |
CVSS V2: - CVSS V3: 7.2 Severity: HIGH |
A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature. Vtiger of Vtiger CRM There is a code injection vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
| VAR-202505-3447 | CVE-2025-45755 | Vtiger of Vtiger CRM Cross-site scripting vulnerability in |
CVSS V2: - CVSS V3: 6.1 Severity: MEDIUM |
A Stored Cross-Site Scripting (XSS) vulnerability exists in Vtiger CRM Open Source Edition v8.3.0, exploitable via the Services Import feature. An attacker can craft a malicious CSV file containing an XSS payload, mapped to the Service Name field. When the file is uploaded, the application improperly sanitizes user input, leading to persistent script execution
| VAR-202505-3056 | CVE-2025-44083 | D-Link Systems, Inc. of di-8100 Authentication vulnerability in firmware |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
An issue in D-Link DI-8100 16.07.26A1 allows a remote attacker to bypass administrator login authentication. D-Link Systems, Inc. of di-8100 An authentication vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. D-Link DI-8100 is a wireless broadband router designed for small and medium-sized network environments by China's D-Link. No detailed vulnerability details are currently available
| VAR-202505-2355 | CVE-2025-44882 | WAVLINK of WL-WN579A3 in the firmware OS Command injection vulnerability |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
A command injection vulnerability in the component /cgi-bin/firewall.cgi of Wavlink WL-WN579A3 v1.0 allows attackers to execute arbitrary commands via a crafted input. WAVLINK of WL-WN579A3 The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. WAVLINK WL-WN579A3 is a high-performance dual-band wireless network card from WAVLINK, a Chinese company
| VAR-202505-2375 | CVE-2025-44880 | WAVLINK of WL-WN579A3 in the firmware OS Command injection vulnerability |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
A command injection vulnerability in the component /cgi-bin/adm.cgi of Wavlink WL-WN579A3 v1.0 allows attackers to execute arbitrary commands via a crafted input. WAVLINK of WL-WN579A3 The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. WAVLINK WL-WN579A3 is a high-performance dual-band wireless network card from WAVLINK, a Chinese company
| VAR-202505-2378 | CVE-2025-44893 | PLANET of WGS-804HPT Stack-based buffer overflow vulnerability in firmware |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
FW-WGS-804HPT v1.305b241111 was discovered to contain a stack overflow via the ruleNamekey parameter in the web_acl_mgmt_Rules_Apply_post function. PLANET of WGS-804HPT A stack-based buffer overflow vulnerability exists in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Planet FW-WGS-804HPT is a wall-mounted managed switch from China's PLANET company.
Planet FW-WGS-804HPT has a buffer overflow vulnerability. The vulnerability is caused by the ruleNamekey parameter in the web_acl_mgmt_Rules_Apply_post function failing to properly verify the length of the input data. Attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service
| VAR-202505-2333 | CVE-2025-44890 | PLANET of WGS-804HPT Stack-based buffer overflow vulnerability in firmware |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
FW-WGS-804HPT v1.305b241111 was discovered to contain a stack overflow via the host_ip parameter in the web_snmp_notifyv3_add_post function. PLANET of WGS-804HPT A stack-based buffer overflow vulnerability exists in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Planet FW-WGS-804HPT is a wall-mounted managed switch from China's PLANET company.
Planet FW-WGS-804HPT has a buffer overflow vulnerability. The vulnerability is caused by the host_ip parameter in the web_snmp_notifyv3_add_post function failing to properly verify the length of the input data. Attackers can exploit this vulnerability to execute arbitrary code or cause a denial of service
| VAR-202505-2242 | CVE-2025-44888 | PLANET of WGS-804HPT Stack-based buffer overflow vulnerability in firmware |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
FW-WGS-804HPT v1.305b241111 was discovered to contain a stack overflow via the stp_conf_name parameter in the web_stp_globalSetting_post function. PLANET of WGS-804HPT A stack-based buffer overflow vulnerability exists in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Planet FW-WGS-804HPT is a wall-mounted managed switch from China's PLANET company.
Planet FW-WGS-804HPT has a buffer overflow vulnerability. The vulnerability is caused by the failure of the stp_conf_name parameter in the web_stp_globalSetting_post function to properly verify the length of the input data. Attackers can exploit this vulnerability to execute arbitrary code or cause a denial of service
| VAR-202505-2459 | CVE-2025-44887 | PLANET of WGS-804HPT Stack-based buffer overflow vulnerability in firmware |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
FW-WGS-804HPT v1.305b241111 was discovered to contain a stack overflow via the radIpkey parameter in the web_radiusSrv_post function. PLANET of WGS-804HPT A stack-based buffer overflow vulnerability exists in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Planet FW-WGS-804HPT is a wall-mounted managed switch from China's PLANET company.
Planet FW-WGS-804HPT has a buffer overflow vulnerability. The vulnerability is caused by the radIpkey parameter in the web_radiusSrv_post function failing to properly verify the length of the input data. Attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service