VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-202208-1908 CVE-2022-37134 D-Link Systems, Inc.  of  DIR-816  Vulnerability in firmware related to improper validation of quantities specified in inputs CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
D-link DIR-816 A2_v1.10CNB04.img is vulnerable to Buffer Overflow via /goform/form2Wan.cgi. When wantype is 3, l2tp_usrname will be decrypted by base64, and the result will be stored in v94, which does not check the size of l2tp_usrname, resulting in stack overflow. D-Link Systems, Inc. of DIR-816 A vulnerability exists in the firmware related to improper validation of quantities specified in input.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. D-Link DIR-816 is a wireless router from D-Link Company in Taiwan
VAR-202208-1502 CVE-2022-32480 Dell's  emc powerscale onefs  Insecure Initialization of Resources to Default Value Vulnerability in CVSS V2: -
CVSS V3: 6.5
Severity: MEDIUM
Dell PowerScale OneFS, versions 9.0.0, up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain an insecure default initialization of a resource vulnerability. A remote authenticated attacker may potentially exploit this vulnerability, leading to information disclosure
VAR-202208-1466 CVE-2022-31237 Dell's  emc powerscale onefs  Improper Permission Preservation Vulnerability in CVSS V2: -
CVSS V3: 3.3
Severity: LOW
Dell PowerScale OneFS, versions 9.2.0 up to and including 9.2.1.12 and 9.3.0.5 contain an improper preservation of permissions vulnerability in SyncIQ. A low privileged local attacker may potentially exploit this vulnerability, leading to limited information disclosure. Dell's emc powerscale onefs contains an improper permissions retention vulnerability.Information may be obtained
VAR-202208-1464 CVE-2022-33932 Dell's  emc powerscale onefs  Vulnerability in CVSS V2: -
CVSS V3: 5.3
Severity: MEDIUM
Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain an unprotected primary channel vulnerability. An unauthenticated network malicious attacker may potentially exploit this vulnerability, leading to a denial of filesystem services. Dell's emc powerscale onefs Exists in unspecified vulnerabilities.Service operation interruption (DoS) It may be in a state
VAR-202208-1444 CVE-2022-37175 Shenzhen Tenda Technology Co.,Ltd.  of  AC15  Out-of-bounds write vulnerability in firmware CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
Tenda ac15 firmware V15.03.05.18 httpd server has stack buffer overflow in /goform/formWifiBasicSet. Shenzhen Tenda Technology Co.,Ltd. of AC15 An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Tenda AC15 has a buffer overflow vulnerability caused by improper bounds checking of the WifiBasicSet function. A remote attacker could exploit this vulnerability to overflow a buffer and execute arbitrary code on the system
VAR-202208-1445 CVE-2022-36233 Tenda  of  AC9  Out-of-bounds write vulnerability in firmware CVSS V2: 4.9
CVSS V3: 5.5
Severity: MEDIUM
Tenda AC9 V15.03.2.13 is vulnerable to Buffer Overflow via httpd, form_fast_setting_wifi_set. httpd. Tenda of AC9 An out-of-bounds write vulnerability exists in firmware.Service operation interruption (DoS) It may be in a state. The Tenda AC9 is a wireless router from the Chinese company Tenda. An authenticated local attacker could exploit this vulnerability to cause a denial of service
VAR-202208-1483 CVE-2022-35201 Shenzhen Tenda Technology Co.,Ltd.  of  AC18  Firmware vulnerabilities CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
Tenda-AC18 V15.03.05.05 was discovered to contain a remote command execution (RCE) vulnerability. Shenzhen Tenda Technology Co.,Ltd. of AC18 There are unspecified vulnerabilities in the firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
VAR-202208-1513 CVE-2022-23182 Intel's  Intel Data Center Manager  Vulnerability in CVSS V2: -
CVSS V3: 8.8
Severity: HIGH
Improper access control in the Intel(R) Data Center Manager software before version 4.1 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. Intel's Intel Data Center Manager Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Intel Data Center Manager is a software solution of Intel Corporation. Collects and analyzes real-time health, power and heat of various devices in the data center to help improve efficiency and uptime
VAR-202208-1937 CVE-2022-24378 Intel's  Intel Data Center Manager  Initialization vulnerability in CVSS V2: -
CVSS V3: 5.5
Severity: MEDIUM
Improper initialization in the Intel(R) Data Center Manager software before version 4.1 may allow an authenticated user to potentially enable denial of service via local access. Intel's Intel Data Center Manager Has an initialization vulnerability.Service operation interruption (DoS) It may be in a state. Collects and analyzes real-time health, power and heat of various devices in the data center to help improve efficiency and uptime
VAR-202208-1512 CVE-2022-21225 Intel's  Intel Data Center Manager  Vulnerability in CVSS V2: -
CVSS V3: 8.0
Severity: HIGH
Improper neutralization in the Intel(R) Data Center Manager software before version 4.1 may allow an authenticated user to potentially enable escalation of privilege via adjacent access. Intel's Intel Data Center Manager Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Intel Data Center Manager is a software solution of Intel Corporation. Collects and analyzes real-time health, power and heat of various devices in the data center to help improve efficiency and uptime
VAR-202208-1369 CVE-2022-37063 FLIR Systems, Inc.  of  flir ax8  Cross-site scripting vulnerability in firmware CVSS V2: -
CVSS V3: 5.4
Severity: MEDIUM
All FLIR AX8 thermal sensor cameras versions up to and including 1.46.16 are vulnerable to Cross Site Scripting (XSS) due to improper input sanitization. An authenticated remote attacker can execute arbitrary JavaScript code in the web management interface. A successful exploit could allow the attacker to insert malicious JavaScript code. NOTE: The vendor has stated that with the introduction of firmware version 1.49.16 (Jan 2023) the FLIR AX8 should no longer be affected by the vulnerability reported. Latest firmware version (as of Oct 2025, was released Jun 2024) is 1.55.16. FLIR Systems, Inc. of flir ax8 Firmware has a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. # FLIR AX8 vulnerabilities. ### Product description: The FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment. ### Summary of the 4 vulnerabilities found / What we were able to find: * [CVE-2022-37061] - Unauthenticated OS Command Injection. FLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the `id` HTTP POST parameter in `res.php` endpoint. * [CVE-2022-37060] - Unauthenticated Directory Traversal. FLIR AX8 is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server's restricted path. * [CVE-2022-37062] - Improper Access Control. FLIR AX8 is affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the SQLite users database, and download it. ### Step by Step Example (How to Reproduce and verify) the vulnerabilities: 1. Unauthenticated Remote Command Injection. The endpoint `/res.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the POST parameter `id` can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the `/etc/shadow` file. The server returns a JSON response containing the contents of the `/etc/shadow` file. This command injection is due because there no sanitization check on the variable `$_POST["id"]`, line 65, and can therefore take advantage of the `shell_exec()` function to execute unexpected arbitrary shell commands. 2. Unauthenticated Directory Traversal. The endpoint `/download.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the GET parameter `file` can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the `/etc/passwd` file. The error is due to the fact that there is no sanitization of the `$file_path` variable, line 26, when the `fopen()` function is called, line 39. However a comment in the code, line 24, and the use of the function `pathinfo()`, line 28, suggests that the developer thought about this problem and therefore created the variable `$path_parts` which is sanitized. But for some reasons the developer does not use the sanitizer variable `$path_parts` when the function `fopen()` is used. Probably an oversight. 3. Improper Access Control. The endpoint `/FLIR/db/users.db` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate and let any malicious actor to download the `users.db` SQLite database. 4. In the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call <img src=x onerror=alert(String.fromCharCode(97,108,101,114,116,40,39,116,101,115,116,39,41,59));>.run ### Recommendations for how to fix the 4 vulnerabilities: * Vulnerability 1: The variable `$_POST["id"]`, line 65 in the file `/FLIR/usr/www/res.php`, must be sanitized using the function `intval()` and will remove any character other than integer value. `escapeshellcmd()` and `escapeshellarg()` must be also used to escapes any characters in a string that might be used to execute arbitrary commands. More info: https://www.php.net/intval https://www.php.net/manual/en/function.escapeshellcmd https://www.php.net/manual/en/function.escapeshellarg * Vulnerability 2: The variable `$file_path`, line 39 in the file `/FLIR/usr/www/download.php`, must be sanitized using the function `pathinfo()` but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions. More info: https://www.php.net/manual/en/function.pathinfo * Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in `/etc/lighttpd.conf`. More info: https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html * Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters. More info: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html ### Reference: https://www.flir.com/products/ax8-automation/ ### Security researchers: * [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen) * [Samy Younsi] (https://www.linkedin.com/in/samy-younsi)
VAR-202208-1436 CVE-2022-35173 F5 Networks  of  njs  Vulnerability in checking for exceptional conditions in CVSS V2: -
CVSS V3: 7.5
Severity: HIGH
An issue was discovered in Nginx NJS v0.7.5. The JUMP offset for a break instruction was not set to a correct offset during code generation, leading to a segmentation violation. F5 Networks of njs Exists in an exceptional condition check vulnerability.Service operation interruption (DoS) It may be in a state
VAR-202208-1429 CVE-2022-37062 FLIR Systems, Inc.  of  flir ax8  Vulnerability related to lack of authentication for critical functions in firmware CVSS V2: -
CVSS V3: 7.5
Severity: HIGH
All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this by sending a URI that contains the path of the SQLite users database and download it. A successful exploit could allow the attacker to extract usernames and hashed passwords. NOTE: The vendor has stated that with the introduction of firmware version 1.49.16 (Jan 2023) the FLIR AX8 should no longer be affected by the vulnerability reported. Latest firmware version (as of Oct 2025, was released Jun 2024) is 1.55.16. FLIR Systems, Inc. of flir ax8 Firmware has a lack of authentication vulnerability for critical functionality.Information may be obtained. # FLIR AX8 vulnerabilities. ### Product description: The FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment. ### Summary of the 4 vulnerabilities found / What we were able to find: * [CVE-2022-37061] - Unauthenticated OS Command Injection. FLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the `id` HTTP POST parameter in `res.php` endpoint. * [CVE-2022-37060] - Unauthenticated Directory Traversal. * [CVE-2022-37062] - Improper Access Control. * [CVE-2022-37063] - Reflected cross-site scripting. FLIR AX8 is affected by a reflected cross-site scripting (XSS) vulnerability due to an improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface. ### Step by Step Example (How to Reproduce and verify) the vulnerabilities: 1. Unauthenticated Remote Command Injection. The endpoint `/res.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the POST parameter `id` can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the `/etc/shadow` file. The server returns a JSON response containing the contents of the `/etc/shadow` file. This command injection is due because there no sanitization check on the variable `$_POST["id"]`, line 65, and can therefore take advantage of the `shell_exec()` function to execute unexpected arbitrary shell commands. 2. Unauthenticated Directory Traversal. The endpoint `/download.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the GET parameter `file` can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the `/etc/passwd` file. The error is due to the fact that there is no sanitization of the `$file_path` variable, line 26, when the `fopen()` function is called, line 39. However a comment in the code, line 24, and the use of the function `pathinfo()`, line 28, suggests that the developer thought about this problem and therefore created the variable `$path_parts` which is sanitized. But for some reasons the developer does not use the sanitizer variable `$path_parts` when the function `fopen()` is used. Probably an oversight. 3. Improper Access Control. The endpoint `/FLIR/db/users.db` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate and let any malicious actor to download the `users.db` SQLite database. 4. Reflected cross-site scripting. In the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call <img src=x onerror=alert(String.fromCharCode(97,108,101,114,116,40,39,116,101,115,116,39,41,59));>.run ### Recommendations for how to fix the 4 vulnerabilities: * Vulnerability 1: The variable `$_POST["id"]`, line 65 in the file `/FLIR/usr/www/res.php`, must be sanitized using the function `intval()` and will remove any character other than integer value. `escapeshellcmd()` and `escapeshellarg()` must be also used to escapes any characters in a string that might be used to execute arbitrary commands. More info: https://www.php.net/intval https://www.php.net/manual/en/function.escapeshellcmd https://www.php.net/manual/en/function.escapeshellarg * Vulnerability 2: The variable `$file_path`, line 39 in the file `/FLIR/usr/www/download.php`, must be sanitized using the function `pathinfo()` but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions. More info: https://www.php.net/manual/en/function.pathinfo * Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in `/etc/lighttpd.conf`. More info: https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html * Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters. More info: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html ### Reference: https://www.flir.com/products/ax8-automation/ ### Security researchers: * [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen) * [Samy Younsi] (https://www.linkedin.com/in/samy-younsi)
VAR-202208-1418 CVE-2022-26017 Intel's  Intel Driver and Support Assistant  Vulnerability in CVSS V2: -
CVSS V3: 8.0
Severity: HIGH
Improper access control in the Intel(R) DSA software for before version 22.2.14 may allow an authenticated user to potentially enable escalation of privilege via adjacent access. Intel's Intel Driver and Support Assistant Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Intel DSA is a driver update tool. It can detect the user driver program, update the installed driver to the latest version, support intel series graphics card, audio, network card and chipset drivers, a must for i card users. Attackers exploit this vulnerability to escalate privileges
VAR-202208-1390 CVE-2022-25841 Intel's  Android  for  datacenter group event  Vulnerability regarding uncontrolled search path elements in CVSS V2: -
CVSS V3: 7.8
Severity: HIGH
Uncontrolled search path elements in the Intel(R) Datacenter Group Event Android application, all versions, may allow an authenticated user to potentially enable escalation of privilege via local access. (DoS) It may be in a state. Intel Datacenter Group Event is a data center group event consulting software developed by Intel Corporation. Attackers exploit this vulnerability to escalate privileges
VAR-202208-1417 CVE-2022-22730 Intel's  edge insights for industrial  Authentication vulnerability in CVSS V2: -
CVSS V3: 9.8
Severity: CRITICAL
Improper authentication in the Intel(R) Edge Insights for Industrial software before version 2.6.1 may allow an unauthenticated user to potentially enable escalation of privilege via network access. Intel's edge insights for industrial There is an authentication vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Intel Edge Insights for Industrial is a pre-validated, ready-to-deploy software reference design from Intel Corporation for video and time-series data ingestion
VAR-202208-1419 CVE-2022-30296 Intel's  iPhone OS  for  datacenter group event  Vulnerability regarding insufficient protection of authentication information in CVSS V2: -
CVSS V3: 7.5
Severity: HIGH
Insufficiently protected credentials in the Intel(R) Datacenter Group Event iOS application, all versions, may allow an unauthenticated user to potentially enable information disclosure via network access. Intel's iPhone OS for datacenter group event There are vulnerabilities in inadequate protection of credentials.Information may be obtained. Intel Datacenter Group Event is a data center group event consulting software developed by Intel Corporation. An attacker could exploit this vulnerability to obtain sensitive information
VAR-202208-1450 CVE-2022-28696 Intel's  distribution for python  Vulnerability regarding uncontrolled search path elements in CVSS V2: -
CVSS V3: 7.8
Severity: HIGH
Uncontrolled search path in the Intel(R) Distribution for Python before version 2022.0.3 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel's distribution for python Exists in a vulnerability in an element of an uncontrolled search path.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Intel Distribution for Python is a Python distribution optimized for Intel hardware by Intel Corporation of the United States. Intel Distribution for Python versions prior to 2022.0.3 have security vulnerabilities. Attackers exploit this vulnerability to escalate privileges
VAR-202208-1489 CVE-2022-23403 Intel's  Intel Data Center Manager  Input verification vulnerability in CVSS V2: -
CVSS V3: 5.5
Severity: MEDIUM
Improper input validation in the Intel(R) Data Center Manager software before version 4.1 may allow an authenticated user to potentially enable denial of service via local access. Collects and analyzes real-time health, power and heat of various devices in the data center to help improve efficiency and uptime
VAR-202208-1427 CVE-2022-21148 Intel's  edge insights for industrial  Vulnerability in CVSS V2: -
CVSS V3: 7.8
Severity: HIGH
Improper access control in the Intel(R) Edge Insights for Industrial software before version 2.6.1 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel's edge insights for industrial Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Intel Edge Insights for Industrial is a pre-validated, ready-to-deploy software reference design from Intel Corporation for video and time-series data ingestion. Intel Edge Insights for Industrial software prior to version 2.6.1 has a security vulnerability