VARIoT IoT vulnerabilities database
| VAR-202208-1908 | CVE-2022-37134 | D-Link Systems, Inc. of DIR-816 Vulnerability in firmware related to improper validation of quantities specified in inputs |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
D-link DIR-816 A2_v1.10CNB04.img is vulnerable to Buffer Overflow via /goform/form2Wan.cgi. When wantype is 3, l2tp_usrname will be decrypted by base64, and the result will be stored in v94, which does not check the size of l2tp_usrname, resulting in stack overflow. D-Link Systems, Inc. of DIR-816 A vulnerability exists in the firmware related to improper validation of quantities specified in input.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. D-Link DIR-816 is a wireless router from D-Link Company in Taiwan
| VAR-202208-1502 | CVE-2022-32480 | Dell's emc powerscale onefs Insecure Initialization of Resources to Default Value Vulnerability in |
CVSS V2: - CVSS V3: 6.5 Severity: MEDIUM |
Dell PowerScale OneFS, versions 9.0.0, up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain an insecure default initialization of a resource vulnerability. A remote authenticated attacker may potentially exploit this vulnerability, leading to information disclosure
| VAR-202208-1466 | CVE-2022-31237 | Dell's emc powerscale onefs Improper Permission Preservation Vulnerability in |
CVSS V2: - CVSS V3: 3.3 Severity: LOW |
Dell PowerScale OneFS, versions 9.2.0 up to and including 9.2.1.12 and 9.3.0.5 contain an improper preservation of permissions vulnerability in SyncIQ. A low privileged local attacker may potentially exploit this vulnerability, leading to limited information disclosure. Dell's emc powerscale onefs contains an improper permissions retention vulnerability.Information may be obtained
| VAR-202208-1464 | CVE-2022-33932 | Dell's emc powerscale onefs Vulnerability in |
CVSS V2: - CVSS V3: 5.3 Severity: MEDIUM |
Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain an unprotected primary channel vulnerability. An unauthenticated network malicious attacker may potentially exploit this vulnerability, leading to a denial of filesystem services. Dell's emc powerscale onefs Exists in unspecified vulnerabilities.Service operation interruption (DoS) It may be in a state
| VAR-202208-1444 | CVE-2022-37175 | Shenzhen Tenda Technology Co.,Ltd. of AC15 Out-of-bounds write vulnerability in firmware |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Tenda ac15 firmware V15.03.05.18 httpd server has stack buffer overflow in /goform/formWifiBasicSet. Shenzhen Tenda Technology Co.,Ltd. of AC15 An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state.
Tenda AC15 has a buffer overflow vulnerability caused by improper bounds checking of the WifiBasicSet function. A remote attacker could exploit this vulnerability to overflow a buffer and execute arbitrary code on the system
| VAR-202208-1445 | CVE-2022-36233 | Tenda of AC9 Out-of-bounds write vulnerability in firmware |
CVSS V2: 4.9 CVSS V3: 5.5 Severity: MEDIUM |
Tenda AC9 V15.03.2.13 is vulnerable to Buffer Overflow via httpd, form_fast_setting_wifi_set. httpd. Tenda of AC9 An out-of-bounds write vulnerability exists in firmware.Service operation interruption (DoS) It may be in a state. The Tenda AC9 is a wireless router from the Chinese company Tenda. An authenticated local attacker could exploit this vulnerability to cause a denial of service
| VAR-202208-1483 | CVE-2022-35201 | Shenzhen Tenda Technology Co.,Ltd. of AC18 Firmware vulnerabilities |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Tenda-AC18 V15.03.05.05 was discovered to contain a remote command execution (RCE) vulnerability. Shenzhen Tenda Technology Co.,Ltd. of AC18 There are unspecified vulnerabilities in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
| VAR-202208-1513 | CVE-2022-23182 | Intel's Intel Data Center Manager Vulnerability in |
CVSS V2: - CVSS V3: 8.8 Severity: HIGH |
Improper access control in the Intel(R) Data Center Manager software before version 4.1 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. Intel's Intel Data Center Manager Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Intel Data Center Manager is a software solution of Intel Corporation. Collects and analyzes real-time health, power and heat of various devices in the data center to help improve efficiency and uptime
| VAR-202208-1937 | CVE-2022-24378 | Intel's Intel Data Center Manager Initialization vulnerability in |
CVSS V2: - CVSS V3: 5.5 Severity: MEDIUM |
Improper initialization in the Intel(R) Data Center Manager software before version 4.1 may allow an authenticated user to potentially enable denial of service via local access. Intel's Intel Data Center Manager Has an initialization vulnerability.Service operation interruption (DoS) It may be in a state. Collects and analyzes real-time health, power and heat of various devices in the data center to help improve efficiency and uptime
| VAR-202208-1512 | CVE-2022-21225 | Intel's Intel Data Center Manager Vulnerability in |
CVSS V2: - CVSS V3: 8.0 Severity: HIGH |
Improper neutralization in the Intel(R) Data Center Manager software before version 4.1 may allow an authenticated user to potentially enable escalation of privilege via adjacent access. Intel's Intel Data Center Manager Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Intel Data Center Manager is a software solution of Intel Corporation. Collects and analyzes real-time health, power and heat of various devices in the data center to help improve efficiency and uptime
| VAR-202208-1369 | CVE-2022-37063 | FLIR Systems, Inc. of flir ax8 Cross-site scripting vulnerability in firmware |
CVSS V2: - CVSS V3: 5.4 Severity: MEDIUM |
All FLIR AX8 thermal sensor cameras versions up to and including 1.46.16 are vulnerable to Cross Site Scripting (XSS) due to improper input sanitization. An authenticated remote attacker can execute arbitrary JavaScript code in the web management interface. A successful exploit could allow the attacker to insert malicious JavaScript code. NOTE: The vendor has stated that with the introduction of firmware version 1.49.16 (Jan 2023) the FLIR AX8 should no longer be affected by the vulnerability reported. Latest firmware version (as of Oct 2025, was released Jun 2024) is 1.55.16. FLIR Systems, Inc. of flir ax8 Firmware has a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. # FLIR AX8 vulnerabilities.
### Product description:
The FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment.
### Summary of the 4 vulnerabilities found / What we were able to find:
* [CVE-2022-37061] - Unauthenticated OS Command Injection.
FLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the `id` HTTP POST parameter in `res.php` endpoint.
* [CVE-2022-37060] - Unauthenticated Directory Traversal.
FLIR AX8 is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server's restricted path.
* [CVE-2022-37062] - Improper Access Control.
FLIR AX8 is affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the SQLite users database, and download it.
### Step by Step Example (How to Reproduce and verify) the vulnerabilities:
1. Unauthenticated Remote Command Injection.
The endpoint `/res.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the POST parameter `id` can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the `/etc/shadow` file.
The server returns a JSON response containing the contents of the `/etc/shadow` file. This command injection is due because there no sanitization check on the variable `$_POST["id"]`, line 65, and can therefore take advantage of the `shell_exec()` function to execute unexpected arbitrary shell commands.
2. Unauthenticated Directory Traversal.
The endpoint `/download.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the GET parameter `file` can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the `/etc/passwd` file.
The error is due to the fact that there is no sanitization of the `$file_path` variable, line 26, when the `fopen()` function is called, line 39. However a comment in the code, line 24, and the use of the function `pathinfo()`, line 28, suggests that the developer thought about this problem and therefore created the variable `$path_parts` which is sanitized. But for some reasons the developer does not use the sanitizer variable `$path_parts` when the function `fopen()` is used. Probably an oversight.
3. Improper Access Control.
The endpoint `/FLIR/db/users.db` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate and let any malicious actor to download the `users.db` SQLite database.
4.
In the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call
<img src=x onerror=alert(String.fromCharCode(97,108,101,114,116,40,39,116,101,115,116,39,41,59));>.run
### Recommendations for how to fix the 4 vulnerabilities:
* Vulnerability 1: The variable `$_POST["id"]`, line 65 in the file `/FLIR/usr/www/res.php`, must be sanitized using the function `intval()` and will remove any character other than integer value. `escapeshellcmd()` and `escapeshellarg()` must be also used to escapes any characters in a string that might be used to execute arbitrary commands.
More info:
https://www.php.net/intval
https://www.php.net/manual/en/function.escapeshellcmd
https://www.php.net/manual/en/function.escapeshellarg
* Vulnerability 2: The variable `$file_path`, line 39 in the file `/FLIR/usr/www/download.php`, must be sanitized using the function `pathinfo()` but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions.
More info:
https://www.php.net/manual/en/function.pathinfo
* Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in `/etc/lighttpd.conf`.
More info:
https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html
* Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters.
More info:
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
### Reference:
https://www.flir.com/products/ax8-automation/
### Security researchers:
* [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen)
* [Samy Younsi] (https://www.linkedin.com/in/samy-younsi)
| VAR-202208-1436 | CVE-2022-35173 | F5 Networks of njs Vulnerability in checking for exceptional conditions in |
CVSS V2: - CVSS V3: 7.5 Severity: HIGH |
An issue was discovered in Nginx NJS v0.7.5. The JUMP offset for a break instruction was not set to a correct offset during code generation, leading to a segmentation violation. F5 Networks of njs Exists in an exceptional condition check vulnerability.Service operation interruption (DoS) It may be in a state
| VAR-202208-1429 | CVE-2022-37062 | FLIR Systems, Inc. of flir ax8 Vulnerability related to lack of authentication for critical functions in firmware |
CVSS V2: - CVSS V3: 7.5 Severity: HIGH |
All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this by sending a URI that contains the path of the SQLite users database and download it. A successful exploit could allow the attacker to extract usernames and hashed passwords. NOTE: The vendor has stated that with the introduction of firmware version 1.49.16 (Jan 2023) the FLIR AX8 should no longer be affected by the vulnerability reported. Latest firmware version (as of Oct 2025, was released Jun 2024) is 1.55.16. FLIR Systems, Inc. of flir ax8 Firmware has a lack of authentication vulnerability for critical functionality.Information may be obtained. # FLIR AX8 vulnerabilities.
### Product description:
The FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment.
### Summary of the 4 vulnerabilities found / What we were able to find:
* [CVE-2022-37061] - Unauthenticated OS Command Injection.
FLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the `id` HTTP POST parameter in `res.php` endpoint.
* [CVE-2022-37060] - Unauthenticated Directory Traversal.
* [CVE-2022-37062] - Improper Access Control.
* [CVE-2022-37063] - Reflected cross-site scripting.
FLIR AX8 is affected by a reflected cross-site scripting (XSS) vulnerability due to an improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface.
### Step by Step Example (How to Reproduce and verify) the vulnerabilities:
1. Unauthenticated Remote Command Injection.
The endpoint `/res.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the POST parameter `id` can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the `/etc/shadow` file.
The server returns a JSON response containing the contents of the `/etc/shadow` file. This command injection is due because there no sanitization check on the variable `$_POST["id"]`, line 65, and can therefore take advantage of the `shell_exec()` function to execute unexpected arbitrary shell commands.
2. Unauthenticated Directory Traversal.
The endpoint `/download.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the GET parameter `file` can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the `/etc/passwd` file.
The error is due to the fact that there is no sanitization of the `$file_path` variable, line 26, when the `fopen()` function is called, line 39. However a comment in the code, line 24, and the use of the function `pathinfo()`, line 28, suggests that the developer thought about this problem and therefore created the variable `$path_parts` which is sanitized. But for some reasons the developer does not use the sanitizer variable `$path_parts` when the function `fopen()` is used. Probably an oversight.
3. Improper Access Control.
The endpoint `/FLIR/db/users.db` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate and let any malicious actor to download the `users.db` SQLite database.
4. Reflected cross-site scripting.
In the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call
<img src=x onerror=alert(String.fromCharCode(97,108,101,114,116,40,39,116,101,115,116,39,41,59));>.run
### Recommendations for how to fix the 4 vulnerabilities:
* Vulnerability 1: The variable `$_POST["id"]`, line 65 in the file `/FLIR/usr/www/res.php`, must be sanitized using the function `intval()` and will remove any character other than integer value. `escapeshellcmd()` and `escapeshellarg()` must be also used to escapes any characters in a string that might be used to execute arbitrary commands.
More info:
https://www.php.net/intval
https://www.php.net/manual/en/function.escapeshellcmd
https://www.php.net/manual/en/function.escapeshellarg
* Vulnerability 2: The variable `$file_path`, line 39 in the file `/FLIR/usr/www/download.php`, must be sanitized using the function `pathinfo()` but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions.
More info:
https://www.php.net/manual/en/function.pathinfo
* Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in `/etc/lighttpd.conf`.
More info:
https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html
* Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters.
More info:
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
### Reference:
https://www.flir.com/products/ax8-automation/
### Security researchers:
* [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen)
* [Samy Younsi] (https://www.linkedin.com/in/samy-younsi)
| VAR-202208-1418 | CVE-2022-26017 | Intel's Intel Driver and Support Assistant Vulnerability in |
CVSS V2: - CVSS V3: 8.0 Severity: HIGH |
Improper access control in the Intel(R) DSA software for before version 22.2.14 may allow an authenticated user to potentially enable escalation of privilege via adjacent access. Intel's Intel Driver and Support Assistant Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Intel DSA is a driver update tool. It can detect the user driver program, update the installed driver to the latest version, support intel series graphics card, audio, network card and chipset drivers, a must for i card users. Attackers exploit this vulnerability to escalate privileges
| VAR-202208-1390 | CVE-2022-25841 | Intel's Android for datacenter group event Vulnerability regarding uncontrolled search path elements in |
CVSS V2: - CVSS V3: 7.8 Severity: HIGH |
Uncontrolled search path elements in the Intel(R) Datacenter Group Event Android application, all versions, may allow an authenticated user to potentially enable escalation of privilege via local access. (DoS) It may be in a state. Intel Datacenter Group Event is a data center group event consulting software developed by Intel Corporation. Attackers exploit this vulnerability to escalate privileges
| VAR-202208-1417 | CVE-2022-22730 | Intel's edge insights for industrial Authentication vulnerability in |
CVSS V2: - CVSS V3: 9.8 Severity: CRITICAL |
Improper authentication in the Intel(R) Edge Insights for Industrial software before version 2.6.1 may allow an unauthenticated user to potentially enable escalation of privilege via network access. Intel's edge insights for industrial There is an authentication vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Intel Edge Insights for Industrial is a pre-validated, ready-to-deploy software reference design from Intel Corporation for video and time-series data ingestion
| VAR-202208-1419 | CVE-2022-30296 | Intel's iPhone OS for datacenter group event Vulnerability regarding insufficient protection of authentication information in |
CVSS V2: - CVSS V3: 7.5 Severity: HIGH |
Insufficiently protected credentials in the Intel(R) Datacenter Group Event iOS application, all versions, may allow an unauthenticated user to potentially enable information disclosure via network access. Intel's iPhone OS for datacenter group event There are vulnerabilities in inadequate protection of credentials.Information may be obtained. Intel Datacenter Group Event is a data center group event consulting software developed by Intel Corporation. An attacker could exploit this vulnerability to obtain sensitive information
| VAR-202208-1450 | CVE-2022-28696 | Intel's distribution for python Vulnerability regarding uncontrolled search path elements in |
CVSS V2: - CVSS V3: 7.8 Severity: HIGH |
Uncontrolled search path in the Intel(R) Distribution for Python before version 2022.0.3 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel's distribution for python Exists in a vulnerability in an element of an uncontrolled search path.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Intel Distribution for Python is a Python distribution optimized for Intel hardware by Intel Corporation of the United States. Intel Distribution for Python versions prior to 2022.0.3 have security vulnerabilities. Attackers exploit this vulnerability to escalate privileges
| VAR-202208-1489 | CVE-2022-23403 | Intel's Intel Data Center Manager Input verification vulnerability in |
CVSS V2: - CVSS V3: 5.5 Severity: MEDIUM |
Improper input validation in the Intel(R) Data Center Manager software before version 4.1 may allow an authenticated user to potentially enable denial of service via local access. Collects and analyzes real-time health, power and heat of various devices in the data center to help improve efficiency and uptime
| VAR-202208-1427 | CVE-2022-21148 | Intel's edge insights for industrial Vulnerability in |
CVSS V2: - CVSS V3: 7.8 Severity: HIGH |
Improper access control in the Intel(R) Edge Insights for Industrial software before version 2.6.1 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel's edge insights for industrial Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Intel Edge Insights for Industrial is a pre-validated, ready-to-deploy software reference design from Intel Corporation for video and time-series data ingestion. Intel Edge Insights for Industrial software prior to version 2.6.1 has a security vulnerability