VARIoT IoT vulnerabilities database
| VAR-202203-2058 | CVE-2021-43661 | TOTOLINK of ex300 v2 Cross-site scripting vulnerability in firmware |
CVSS V2: 4.3 CVSS V3: 6.1 Severity: MEDIUM |
totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /home.asp. TOTOLINK of ex300 v2 Firmware has a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. TotoLink EX300 is a 300 Mbps wireless N range extender from China TotoLink Company
| VAR-202203-1830 | CVE-2021-46010 | TOTOLINK of A3100R Insufficient Random Value Usage Vulnerability in Firmware |
CVSS V2: 6.5 CVSS V3: 8.8 Severity: HIGH |
Totolink A3100R V5.9c.4577 suffers from Use of Insufficiently Random Values via the web configuration. The SESSION_ID is predictable. An attacker can hijack a valid session and conduct further malicious operations. TOTOLINK of A3100R A vulnerability exists in the firmware regarding the use of insufficient random values.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TotoLink A3100R is a series of wireless routers from TotoLink, a Taiwanese company
| VAR-202203-1779 | CVE-2021-44310 | firmware analysis and comparison tool project Cross-site scripting vulnerability in |
CVSS V2: 3.5 CVSS V3: 4.8 Severity: MEDIUM |
An issue was discovered in Firmware Analysis and Comparison Tool v3.2. With administrator privileges, the attacker could perform stored XSS attacks by inserting JavaScript and HTML code in user creation functionality. The vulnerability stems from the lack of data validation and filtering of user-provided data and output in the user creation function
| VAR-202203-1766 | CVE-2021-46006 | TOTOLINK of A3100R Vulnerability related to lack of authentication for critical functions in firmware |
CVSS V2: 4.0 CVSS V3: 6.5 Severity: MEDIUM |
In Totolink A3100R V5.9c.4577, "test.asp" contains an API-like function, which is not authenticated. Using this function, an attacker can configure multiple settings without authentication. TOTOLINK of A3100R Firmware has a lack of authentication vulnerability for critical functionality.Information may be tampered with. TotoLink A3100R is a series of wireless routers from TotoLink in Taiwan, China
TotoLink A3100R V5.9c.4577 has an access control error vulnerability
| VAR-202203-1928 | CVE-2022-25008 | TOTOLINK of ex300 v2 firmware and ex1200t Vulnerability related to lack of authentication for critical functions in firmware |
CVSS V2: 5.8 CVSS V3: 8.8 Severity: HIGH |
totolink EX300_v2 V4.0.3c.140_B20210429 and EX1200T V4.1.2cu.5230_B20210706 does not contain an authentication mechanism. TOTOLINK of ex300 v2 firmware and ex1200t Firmware has a lack of authentication vulnerability for critical functionality.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK EX300 is a 300 Mbps wireless N range extender from China TotoLink company, TOTOLINK EX1200T is a Wi-Fi range extender from China TOTOLINK company.
An access control error vulnerability exists in TOTOLINK EX300_v2 and EX1200T. The vulnerability stems from the device web server not performing any authentication, allowing an attacker to access the web ui and perform any actions
| VAR-202203-2038 | CVE-2021-43663 | TOTOLINK of ex300 v2 Command injection vulnerability in firmware |
CVSS V2: 7.9 CVSS V3: 7.5 Severity: HIGH |
totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a command injection vulnerability via the component cloudupdate_check. TOTOLINK of ex300 v2 Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TotoLink EX300 is a 300 Mbps wireless N range extender from TotoLink in China
| VAR-202203-1983 | CVE-2021-46009 | Totolink A3100R Access Control Error Vulnerability |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies. TOTOLINK of A3100R Firmware has a lack of authentication vulnerability for critical functionality.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TotoLink A3100R is a series of wireless routers from TotoLink, a Taiwanese company.
TotoLink A3100R V5.9c.4577 version has an access control error vulnerability
| VAR-202203-1706 | CVE-2019-12266 | plural wyze Out-of-bounds write vulnerabilities in the product |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
Stack-based Buffer Overflow vulnerability in Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to run arbitrary code on the affected device. This issue affects: Wyze Cam Pan v2 versions prior to 4.49.1.47. Wyze Cam v2 versions prior to 4.9.8.1002. Wyze Cam v3 versions prior to 4.36.8.32. (DoS) It may be in a state
| VAR-202203-2120 | No CVE | Binary Vulnerability in Arista VEOS (CNVD-2022-18744) |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
Arista Networks is one of the leading manufacturers of networking equipment for large data centers, high performance computing systems and cloud networking solutions.
Arista VEOS has a binary vulnerability that could be exploited by an attacker to cause a denial of service attack.
| VAR-202203-2112 | No CVE | Arista VEOS Exists Binary Vulnerability (CNVD-2022-18741) |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
Arista Networks is one of the leading manufacturers of networking equipment for large data centers, high performance computing systems and cloud networking solutions.
Arista VEOS has a binary vulnerability that can be exploited by an attacker to cause a denial of service attack.
| VAR-202203-2109 | No CVE | Binary Vulnerability in Arista VEOS (CNVD-2022-18738) |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
Arista Networks is one of the leading manufacturers of networking equipment for large data centers, high performance computing systems and cloud networking solutions.
Arista VEOS has a binary vulnerability that can be exploited by an attacker to cause a denial of service attack.
| VAR-202203-2108 | No CVE | Binary Vulnerability in Arista VEOS (CNVD-2022-18739) |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
Arista Networks is one of the leading manufacturers of networking equipment for large data centers, high performance computing systems and cloud networking solutions.
Arista VEOS has a binary vulnerability that could be exploited by an attacker to cause a denial of service attack.
| VAR-202203-2106 | No CVE | Arista VEOS Exists Binary Vulnerability (CNVD-2022-18743) |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
Arista Networks is one of the leading manufacturers of networking equipment for large data centers, high performance computing systems and cloud networking solutions.
Arista VEOS has a binary vulnerability that could be exploited by an attacker to cause a denial of service attack.
| VAR-202203-2103 | No CVE | Binary Vulnerability in Arista VEOS (CNVD-2022-18740) |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
Arista Networks is one of the leading manufacturers of networking equipment for large data centers, high performance computing systems and cloud networking solutions.
Arista VEOS has a binary vulnerability that can be exploited by an attacker to cause a denial of service attack.
| VAR-202203-2102 | No CVE | Binary Vulnerability in Arista VEOS (CNVD-2022-18742) |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
Arista Networks is one of the leading manufacturers of networking equipment for large data centers, high performance computing systems and cloud networking solutions.
Arista VEOS has a binary vulnerability that could be exploited by an attacker to cause a denial of service attack.
| VAR-202203-2121 | No CVE | Binary Vulnerability in Arista VEOS |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
Arista Networks is one of the leading manufacturers of networking equipment for large data centers, high performance computing systems and cloud networking solutions.
Arista VEOS has a binary vulnerability that could be exploited by an attacker to cause a denial of service attack.
| VAR-202203-1938 | CVE-2022-23136 | ZTE ZXHN F680 cross-site scripting vulnerability |
CVSS V2: 3.5 CVSS V3: 5.4 Severity: MEDIUM |
There is a stored XSS vulnerability in ZTE home gateway product. An attacker could modify the gateway name by inserting special characters and trigger an XSS attack when the user views the current topology of the device through the management page. ZTE of zxhn f680 Firmware has a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. This vulnerability is caused by the lack of data verification filtering for user-provided data and output in the gateway name
| VAR-202203-1929 | CVE-2021-23851 | plural Robert Bosch GmbH Classic buffer overflow vulnerability in the product |
CVSS V2: 6.5 CVSS V3: 7.2 Severity: HIGH |
A specially crafted TCP/IP packet may cause the camera recovery image web interface to crash. It may also cause a buffer overflow which could enable remote code execution. The recovery image can only be booted with administrative rights or with physical access to the camera and allows the upload of a new firmware in case of a damaged firmware. autodome ip 4000i firmware, autodome ip 5000i firmware, autodome ip starlight 5000i firmware etc. Robert Bosch GmbH The product contains a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
| VAR-202203-1707 | CVE-2021-23850 | plural Robert Bosch GmbH Classic buffer overflow vulnerability in the product |
CVSS V2: 6.5 CVSS V3: 7.2 Severity: HIGH |
A specially crafted TCP/IP packet may cause a camera recovery image telnet interface to crash. It may also cause a buffer overflow which could enable remote code execution. The recovery image can only be booted with administrative rights or with physical access to the camera and allows the upload of a new firmware in case of a damaged firmware. autodome ip 4000i firmware, autodome ip 5000i firmware, autodome ip starlight 5000i firmware etc. Robert Bosch GmbH The product contains a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
| VAR-202203-1571 | CVE-2022-27641 | Integer overflow vulnerability in multiple Netgear products |
CVSS V2: 8.3 CVSS V3: 8.8 Severity: HIGH |
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700v3 1.0.4.120_10.0.91 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the NetUSB module. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15806. D7800 firmware, EX6200 firmware, EX8000 Multiple Netgear products, including firmware, contain an integer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The NETGEAR R6700v3 is a Nighthawk AC1750 Smart Dual-Band Gigabit Router from NETGEAR.
The NETGEAR R6700v3 suffers from an input validation vulnerability that fails to properly validate user-supplied data