VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-202206-2408 No CVE Weak password vulnerability in TOTOLink A7000R CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
TOTOLINK A7000R is a wireless router. TOTOLink A7000R has a weak password vulnerability, which can be exploited by attackers to obtain sensitive information.
VAR-202206-0354 CVE-2021-42892 TOTOLINK EX1200T Trust Management Issue Vulnerability CVSS V2: 5.0
CVSS V3: 4.3
Severity: MEDIUM
In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can start telnet without authorization because the default username and password exists in the firmware. TOTOLINK of ex1200t A vulnerability exists in the firmware regarding the use of hardcoded credentials.Information may be tampered with. TOTOLINK EX1200T is a Wi-Fi range extender from China TOTOLINK
VAR-202206-0176 CVE-2021-42890 TOTOLINK  of  ex1200t  in the firmware  OS  Command injection vulnerability CVSS V2: 7.5
CVSS V3: 9.8
Severity: CRITICAL
TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function NTPSyncWithHost of the file system.so which can control hostTime to attack. TOTOLINK of ex1200t The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK EX1200T is a Wi-Fi range extender from China TOTOLINK
VAR-202206-0320 CVE-2021-42886 TOTOLINK EX1200T Information Disclosure Vulnerability CVSS V2: 5.0
CVSS V3: 7.5
Severity: HIGH
TOTOLINK EX1200T V4.1.2cu.5215 contains an information disclosure vulnerability where an attacker can get the apmib configuration file without authorization, and usernames and passwords can be found in the decoded file. TOTOLINK of ex1200t Firmware has an information disclosure vulnerability.Information may be obtained. TOTOLINK EX1200T is a Wi-Fi range extender from China TOTOLINK
VAR-202206-0214 CVE-2021-42893 TOTOLINK  of  ex1200t  Vulnerability related to lack of authentication for critical functions in firmware CVSS V2: 5.0
CVSS V3: 7.5
Severity: HIGH
In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can obtain sensitive information (wifikey, etc.) without authorization through getSysStatusCfg. TOTOLINK of ex1200t Firmware has a lack of authentication vulnerability for critical functionality.Information may be obtained. TOTOLINK EX1200T is a Wi-Fi range extender from China TOTOLINK
VAR-202206-0218 CVE-2021-42884 TOTOLINK EX1200T Command Injection Vulnerability CVSS V2: 7.5
CVSS V3: 9.8
Severity: CRITICAL
TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function setDeviceName of the file global.so which can control thedeviceName to attack. TOTOLINK of ex1200t The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK EX1200T is a Wi-Fi range extender from China TOTOLINK
VAR-202206-0123 CVE-2021-42888 TOTOLINK  of  ex1200t  in the firmware  OS  Command injection vulnerability CVSS V2: 7.5
CVSS V3: 9.8
Severity: CRITICAL
TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function setLanguageCfg of the file global.so which can control langType to attack. TOTOLINK of ex1200t The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK EX1200T is a Wi-Fi range extender from China TOTOLINK
VAR-202206-0004 CVE-2022-26134 Atlassian  of  Confluence Data Center  and  Confluence Server  Vulnerability in improper invalidation of special elements used to represent language construction in CVSS V2: 7.5
CVSS V3: 9.8
Severity: CRITICAL
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1. (DoS) It may be in a state. Atlassian Confluence Server is a server version of Atlassian's collaboration software with enterprise knowledge management functions and support for building enterprise WiKi. The affected versions are from 1.3.0 prior to 7.4.17, from 7.13.0 prior to 7.13.7, from 7.14.0 prior to 7.14.3, from 7.15.0 prior to 7.15.2, from 7.16.0 prior to 7.16.4, from 7.17.0 prior to 7.17.4, and from 7.18.0 prior to 7.18.1
VAR-202206-0054 CVE-2021-42891 TOTOLINK  of  ex1200t  Vulnerability related to lack of authentication for critical functions in firmware CVSS V2: 5.0
CVSS V3: 7.5
Severity: HIGH
In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can obtain sensitive information (wifikey, etc.) without authorization. TOTOLINK of ex1200t Firmware has a lack of authentication vulnerability for critical functionality.Information may be obtained. TOTOLINK EX1200T is a Wi-Fi range extender from China TOTOLINK
VAR-202206-0222 CVE-2021-42875 TOTOLINK  of  ex1200t  in the firmware  OS  Command injection vulnerability CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in the function setDiagnosisCfg of the file lib/cste_modules/system.so to control the ipDoamin. TOTOLINK of ex1200t The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK EX1200T is a wireless signal booster. An attacker can exploit this vulnerability to control ipDoamin
VAR-202206-0172 CVE-2022-22556 Dell's  powerstoreos  Resource exhaustion vulnerability in CVSS V2: 7.8
CVSS V3: 7.5
Severity: HIGH
Dell PowerStore contains an Uncontrolled Resource Consumption Vulnerability in PowerStore User Interface. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the Denial of Service. Dell's powerstoreos Exists in a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state. Dell PowerStore all-flash data storage appliances use a data-centric, highly adaptable intelligent infrastructure to deliver AppsON capabilities to transform traditional and modern workloads
VAR-202206-0048 CVE-2021-42872 TOTOLINK  of  ex1200t  in the firmware  OS  Command injection vulnerability CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
TOTOLINK EX1200T V4.1.2cu.5215 is affected by a command injection vulnerability that can remotely execute arbitrary code. TOTOLINK of ex1200t The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK EX1200T is a Wi-Fi range extender from China TOTOLINK
VAR-202206-0171 CVE-2022-26867 Dell's  powerstoreos  In  CSV  Vulnerability in neutralizing math elements in files CVSS V2: 6.0
CVSS V3: 8.0
Severity: HIGH
PowerStore SW v2.1.1.0 supports the option to export data to either a CSV or an XLSX file. The data is taken as is, without any validation or sanitization. It allows a malicious, authenticated user to inject payloads that might get interpreted as formulas by the corresponding spreadsheet application that is being used to open the CSV/XLSX file. Dell's powerstoreos for, CSV A vulnerability exists regarding the neutralization of formula elements in files.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Dell PowerStore all-flash data storage appliances use a data-centric, highly adaptable intelligent infrastructure to deliver AppsON capabilities to transform traditional and modern workloads. A formula injection vulnerability exists in Dell PowerStore that could be exploited by attackers to inject payloads
VAR-202206-0125 CVE-2022-26868 Dell's  powerstoreos  In  OS  Command injection vulnerability CVSS V2: 7.2
CVSS V3: 7.8
Severity: HIGH
Dell EMC PowerStore versions 2.0.0.x, 2.0.1.x, and 2.1.0.x are vulnerable to a command injection flaw. An authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system takeover by an attacker. Dell's powerstoreos for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Dell PowerStore all-flash data storage appliances use a data-centric, highly adaptable intelligent infrastructure to deliver AppsON capabilities to transform traditional and modern workloads
VAR-202206-0406 CVE-2022-29780 nginx  of  njs  Vulnerability in CVSS V2: 2.1
CVSS V3: 5.5
Severity: MEDIUM
Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_array_prototype_sort at src/njs_array.c. nginx of njs Exists in unspecified vulnerabilities.Service operation interruption (DoS) It may be in a state
VAR-202206-0057 CVE-2022-22557 Dell's  powerstoreos  Vulnerability regarding insufficient protection of authentication information in CVSS V2: 7.2
CVSS V3: 7.8
Severity: HIGH
PowerStore contains Plain-Text Password Storage Vulnerability in PowerStore X & T environments running versions 2.0.0.x and 2.0.1.x A locally authenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. Dell's powerstoreos There are vulnerabilities in inadequate protection of credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Dell PowerStore all-flash data storage appliances use a data-centric, highly adaptable intelligent infrastructure to deliver AppsON capabilities to transform traditional and modern workloads. An authorization issue vulnerability exists in Dell PowerStore, which can be exploited by attackers to leak certain user credentials
VAR-202206-0293 CVE-2022-26866 Dell's  powerstoreos  Cross-site scripting vulnerability in CVSS V2: 3.5
CVSS V3: 5.5
Severity: MEDIUM
Dell PowerStore Versions before v2.1.1.0. contains a Stored Cross-Site Scripting vulnerability. A high privileged network attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. Dell PowerStore all-flash data storage appliances use a data-centric, highly adaptable intelligent infrastructure to deliver AppsON capabilities to transform traditional and modern workloads
VAR-202206-0324 CVE-2022-31463 Owl Labs Meeting Owl Authorization Issue Vulnerability CVSS V2: 4.3
CVSS V3: 7.1
Severity: HIGH
Owl Labs Meeting Owl 5.2.0.15 does not require a password for Bluetooth commands, because only client-side authentication is used. Equipped with an array of cameras and microphones that capture 360-degree video and audio and automatically focus on the speaker, making meetings more dynamic and inclusive. No detailed vulnerability details are currently provided
VAR-202206-0380 CVE-2022-31460 Owl Labs Meeting Owl Trust Management Issue Vulnerability CVSS V2: 3.3
CVSS V3: 7.4
Severity: HIGH
Owl Labs Meeting Owl 5.2.0.15 allows attackers to activate Tethering Mode with hard-coded hoothoot credentials via a certain c 150 value. Owl Labs Meeting Owl is a video conferencing device from Owl Labs in the United States. Equipped with an array of cameras and microphones that capture 360-degree video and audio and automatically focus on the speaker, making meetings more dynamic and inclusive
VAR-202206-0282 CVE-2022-30521 of D-Link Japan Co., Ltd.  dir-890l  Out-of-bounds write vulnerability in firmware CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
The LAN-side Web-Configuration Interface has Stack-based Buffer Overflow vulnerability in the D-Link Wi-Fi router firmware DIR-890L DIR890LA1_FW107b09.bin and previous versions. The function created at 0x17958 of /htdocs/cgibin will call sprintf without checking the length of strings in parameters given by HTTP header and can be controlled by users easily. The attackers can exploit the vulnerability to carry out arbitrary code by means of sending a specially constructed payload to port 49152. of D-Link Japan Co., Ltd. dir-890l An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. D-Link DIR-890L is a wireless router. The D-Link DIR-890L has a binary vulnerability that an attacker can exploit to gain control of the server