VARIoT IoT vulnerabilities database
| VAR-202207-1940 | CVE-2022-27612 | Synology Inc. of Audio Station Classic buffer overflow vulnerability in |
CVSS V2: - CVSS V3: 9.8 Severity: CRITICAL |
Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in cgi component in Synology Audio Station before 6.5.4-3367 allows remote attackers to execute arbitrary commands via unspecified vectors. Synology Inc. of Audio Station Exists in a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Synology Audio Station is a way for users to store and share their music collections and connect to Internet radio stations from Synology China. Allows for high-quality playback on a variety of devices. There is a security vulnerability in versions prior to Synology Audio Station 6.5.4-3367
| VAR-202207-1998 | CVE-2022-22685 | Synology Inc. of webdav server Past traversal vulnerability in |
CVSS V2: - CVSS V3: 8.1 Severity: HIGH |
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology WebDAV Server before 2.4.0-0062 allows remote authenticated users to delete arbitrary files via unspecified vectors. Synology Inc. of webdav server Exists in a past traversal vulnerability.Information is tampered with and service operation is interrupted (DoS) It may be in a state. Synology WebDAV Server is an extension of HTTP developed by China Synology Company. Allows users to manage files stored on remote servers. Synology WebDAV Server versions prior to 2.4.0-0062 have a path traversal vulnerability
| VAR-202207-2002 | CVE-2022-26376 | ASUSTeK Computer Inc. of ASUSWRT Out-of-Bounds Write Vulnerability in Other Vendors' Products |
CVSS V2: - CVSS V3: 5.3 Severity: MEDIUM |
A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability. ASUSTeK Computer Inc. of ASUSWRT Products from other vendors have out-of-bounds write vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. ASUS Asuswrt-Merlin is a firmware running in the routers of ASUS Corporation of Taiwan, China
| VAR-202207-2014 | CVE-2022-27610 | Synology Inc. of DiskStation Manager Past traversal vulnerability in |
CVSS V2: - CVSS V3: 8.1 Severity: HIGH |
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25423 allows remote authenticated users to delete arbitrary files via unspecified vectors. Synology Inc. of DiskStation Manager Exists in a past traversal vulnerability.Information is tampered with and service operation is interrupted (DoS) It may be in a state
| VAR-202207-1779 | CVE-2022-1042 | Zephyr Project of Zephyr Out-of-bounds write vulnerability in |
CVSS V2: - CVSS V3: 8.8 Severity: HIGH |
In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning. Zephyr Project of Zephyr Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
| VAR-202207-1752 | CVE-2022-1041 | Zephyr Project of Zephyr Out-of-bounds write vulnerability in |
CVSS V2: - CVSS V3: 8.8 Severity: HIGH |
In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning. Zephyr Project of Zephyr Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
| VAR-202207-1799 | CVE-2022-22686 | Synology Inc. of Calendar Cross-site request forgery vulnerability in |
CVSS V2: - CVSS V3: 8.0 Severity: HIGH |
Cross-Site Request Forgery (CSRF) vulnerability in webapi component in Synology Calendar before 2.3.4-0631 allows remote authenticated users to hijack the authentication of administrators via unspecified vectors. Synology Inc. of Calendar Contains a cross-site request forgery vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Synology Calendar is a file protection program run on Synology NAS (Network Storage Server) devices by Synology, a Taiwan-based company. Attackers can exploit this vulnerability to forge malicious requests to trick victims into clicking to perform sensitive operations
| VAR-202207-1759 | CVE-2022-2310 | skyhighsecurity of secure web gateway Spoofing authentication evasion vulnerability in |
CVSS V2: - CVSS V3: 9.8 Severity: CRITICAL |
An authentication bypass vulnerability in Skyhigh SWG in main releases 10.x prior to 10.2.12, 9.x prior to 9.2.23, 8.x prior to 8.2.28, and controlled release 11.x prior to 11.2.1 allows a remote attacker to bypass authentication into the administration User Interface. This is possible because of SWG incorrectly whitelisting authentication bypass methods and using a weak crypto password. This can lead to the attacker logging into the SWG admin interface, without valid credentials, as the super user with complete control over the SWG. skyhighsecurity of secure web gateway Exists in spoofing authentication evasion vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
| VAR-202207-1770 | CVE-2022-2043 | Moxa Inc. of Nport 5110 Out-of-bounds write vulnerability in firmware |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
MOXA NPort 5110: Firmware Versions 2.10 is vulnerable to an out-of-bounds write that can cause the device to become unresponsive. Moxa Inc. of Nport 5110 An out-of-bounds write vulnerability exists in firmware.Service operation interruption (DoS) It may be in a state. Moxa NPort 5110 is a general device server of MOXA
| VAR-202207-1833 | CVE-2022-33935 | Dell's Dell EMC Data Protection Advisor Cross-site scripting vulnerability in |
CVSS V2: - CVSS V3: 5.4 Severity: MEDIUM |
Dell EMC Data Protection Advisor versions 19.6 and earlier, contains a Stored Cross Site Scripting, an attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. Dell's Dell EMC Data Protection Advisor Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with
| VAR-202207-1993 | CVE-2022-34574 | WAVLINK of wifi-repeater Direct request submission vulnerability in firmware |
CVSS V2: - CVSS V3: 5.7 Severity: MEDIUM |
An access control issue in Wavlink WiFi-Repeater RPTA2-77W.M4300.01.GD.2017Sep19 allows attackers to obtain the key information of the device via accessing Tftpd32.ini. WAVLINK of wifi-repeater Firmware has a direct request submission vulnerability.Information may be obtained. WAVLINK WiFi-Repeater is a WiFi range extender produced by China Ruiyin Technology (WAVLINK) company. There is a security vulnerability in WAVLINK WiFi-Repeater RPTA2-77W.M4300.01.GD.2017Sep19 version
| VAR-202207-1961 | CVE-2022-34573 | WAVLINK of wifi-repeater Direct request submission vulnerability in firmware |
CVSS V2: - CVSS V3: 6.3 Severity: MEDIUM |
An access control issue in Wavlink WiFi-Repeater RPTA2-77W.M4300.01.GD.2017Sep19 allows attackers to arbitrarily configure device settings via accessing the page mb_wifibasic.shtml. WAVLINK of wifi-repeater Firmware has a direct request submission vulnerability.Information may be obtained and information may be tampered with. WAVLINK WiFi-Repeater is a WiFi range extender produced by China Ruiyin Technology (WAVLINK) company. There is a security vulnerability in WAVLINK WiFi-Repeater RPTA2-77W.M4300.01.GD.2017Sep19 version
| VAR-202207-2017 | CVE-2022-34570 | WAVLINK of wl-wn579x3 Direct request submission vulnerability in firmware |
CVSS V2: 7.8 CVSS V3: 7.5 Severity: HIGH |
WAVLINK WN579 X3 M79X3.V5030.191012/M79X3.V5030.191012 contains an information leak which allows attackers to obtain the key information via accessing the messages.txt page. WAVLINK of wl-wn579x3 The firmware contains vulnerabilities related to direct request submission and information leakage from log files.Information may be obtained. WAVLINK WN579 X3 is a wireless router from China WAVLINK company.
WAVLINK WN579 X3 M79X3.V5030.191012 version has an access control error vulnerability
| VAR-202207-1814 | CVE-2022-34571 | WAVLINK of wifi-repeater Direct request submission vulnerability in firmware |
CVSS V2: - CVSS V3: 8.0 Severity: HIGH |
An access control issue in Wavlink WiFi-Repeater RPTA2-77W.M4300.01.GD.2017Sep19 allows attackers to obtain the system key information and execute arbitrary commands via accessing the page syslog.shtml. WAVLINK of wifi-repeater Firmware has a direct request submission vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. WAVLINK WiFi-Repeater is a WiFi range extender produced by China Ruiyin Technology (WAVLINK) company. There is a security vulnerability in WAVLINK WiFi-Repeater RPTA2-77W.M4300.01.GD.2017Sep19 version
| VAR-202207-1800 | CVE-2022-34575 | WAVLINK of wifi-repeater Authentication vulnerability in firmware |
CVSS V2: - CVSS V3: 5.7 Severity: MEDIUM |
An access control issue in Wavlink WiFi-Repeater RPTA2-77W.M4300.01.GD.2017Sep19 allows attackers to obtain the key information of the device via accessing fctest.shtml. WAVLINK of wifi-repeater An authentication vulnerability exists in firmware.Information may be obtained. WAVLINK WiFi-Repeater is a WiFi range extender produced by China Ruiyin Technology (WAVLINK) company. There is a security vulnerability in WAVLINK WiFi-Repeater RPTA2-77W.M4300.01.GD.2017Sep19 version
| VAR-202207-1912 | CVE-2022-34572 | WAVLINK of wifi-repeater Direct request submission vulnerability in firmware |
CVSS V2: - CVSS V3: 5.7 Severity: MEDIUM |
An access control issue in Wavlink WiFi-Repeater RPTA2-77W.M4300.01.GD.2017Sep19 allows attackers to obtain the telnet password via accessing the page tftp.txt. WAVLINK of wifi-repeater Firmware has a direct request submission vulnerability.Information may be obtained. WAVLINK WiFi-Repeater is a WiFi range extender produced by China Ruiyin Technology (WAVLINK) company. There is a security vulnerability in WAVLINK WiFi-Repeater RPTA2-77W.M4300.01.GD.2017Sep19 version
| VAR-202207-2121 | No CVE | Weak Password Vulnerability Exists in Beijing Net Royal Nebula Information Technology Co., Ltd. Net Royal Security Gateway |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Beijing Net Royal Nebula Information Technology Co., Ltd. is a leading enterprise in the domestic information security industry, specializing in the research and development, production and sales of information security products, and providing hierarchical overall security solutions and professional security services for user information systems.
There is a weak password vulnerability in the Beijing Net Royal Nebula Information Technology Co., Ltd. Net Royal Security Gateway, which can be exploited by attackers to obtain sensitive information.
| VAR-202207-1637 | CVE-2022-20910 | plural Cisco In the product OS Command injection vulnerability |
CVSS V2: - CVSS V3: 7.2 Severity: HIGH |
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the device to restart unexpectedly, resulting in a denial of service (DoS) condition. These vulnerabilities are due to insufficient validation of user fields within incoming HTTP packets. An attacker could exploit these vulnerabilities by sending a crafted request to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary commands on an affected device with root-level privileges or to cause the device to restart unexpectedly, resulting in a DoS condition. To exploit these vulnerabilities, an attacker would need to have valid Administrator credentials on the affected device. Cisco has not released software updates that address these vulnerabilities. plural Cisco The product has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
| VAR-202207-1651 | CVE-2022-20902 | plural Cisco Classic buffer overflow vulnerability in the product |
CVSS V2: - CVSS V3: 7.2 Severity: HIGH |
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the device to restart unexpectedly, resulting in a denial of service (DoS) condition. These vulnerabilities are due to insufficient validation of user fields within incoming HTTP packets. An attacker could exploit these vulnerabilities by sending a crafted request to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary commands on an affected device with root-level privileges or to cause the device to restart unexpectedly, resulting in a DoS condition. To exploit these vulnerabilities, an attacker would need to have valid Administrator credentials on the affected device. Cisco has not released software updates that address these vulnerabilities. plural Cisco The product contains a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
| VAR-202207-1642 | CVE-2022-20894 | plural Cisco Classic buffer overflow vulnerability in the product |
CVSS V2: - CVSS V3: 7.2 Severity: HIGH |
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the device to restart unexpectedly, resulting in a denial of service (DoS) condition. These vulnerabilities are due to insufficient validation of user fields within incoming HTTP packets. An attacker could exploit these vulnerabilities by sending a crafted request to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary commands on an affected device with root-level privileges or to cause the device to restart unexpectedly, resulting in a DoS condition. To exploit these vulnerabilities, an attacker would need to have valid Administrator credentials on the affected device. Cisco has not released software updates that address these vulnerabilities. plural Cisco The product contains a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state