VARIoT IoT vulnerabilities database

Email Server Certificate Verification Disabled.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a security vulnerability stemming from the disabling of email server certificate verification. Attackers could exploit this vulnerability to launch a man-in-the-middle attack

Insufficient Password Policy.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a security vulnerability stemming from insufficient password policies. Detailed vulnerability information is not currently available

Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log sinks when log level is INFO/DEBUG. This creates a high risk of credential compromise through log access. It has been fixed in the following commit:  https://github.com/apache/apisix/pull/12629 Users are recommended to upgrade to version 3.14, which fixes this issue.

A buffer overflow in the UPnP service of Tenda AC8 Hardware v03.03.10.01 allows attackers to cause a Denial of Service (DoS) via supplying a crafted packet. The Tenda AC8 is a wireless router manufactured by Tenda, a Chinese company. The Tenda AC8 Hardware version v03.03.10.01 contains a buffer overflow vulnerability. This vulnerability stems from a boundary error in the UPnP service when processing untrusted input. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial-of-service attack

Dell Secure Connect Gateway (SCG) 5.0 Application and Appliance version(s) 5.26.00.00 - 5.30.00.00, contain a Relative Path Traversal vulnerability in the SCG exposed for an internal collection download REST API (if this REST API is enabled by Admin user from UI). A low privileged attacker with remote access could potentially exploit this vulnerability, leading to allowing relative path traversal to restricted resources. Dell Secure Connect Gateway is an enterprise-grade secure connectivity gateway device from Dell, primarily used to monitor hardware status, automatically create support requests, and ensure secure communication between devices and Dell backend services

Credits Page not Matching Versions in Use in the FirmwareThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a security vulnerability stemming from a firmware version mismatch. Detailed vulnerability information is not currently available

Lack of Graceful Error Handling - HTTP 5xx ErrorThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a denial-of-service vulnerability stemming from a lack of graceful error handling

Systemic Internal Server Errors - HTTP 500 ResponseThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a denial-of-service vulnerability stemming from an internal server error. An attacker could exploit this vulnerability to cause an HTTP 500 response

Systemic Lack of Cross-Site Request Forgery (CSRF) Token Implementation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a cross-site request forgery (XPS) vulnerability caused by improper validation of user-provided input. An attacker could exploit this vulnerability to perform unauthorized actions by sending malformed HTTP requests

Non-Compliant TLS Configuration.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a security vulnerability stemming from non-compliant TLS configuration. Detailed vulnerability information is not currently available

Server Version Disclosure.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain an information disclosure vulnerability caused by incorrect authentication. Attackers could exploit this vulnerability to obtain server version information

Resource Lacking AuthN.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a security vulnerability stemming from a lack of authentication. Attackers could exploit this vulnerability to obtain sensitive information

Local Privilege Escalation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a privilege escalation vulnerability caused by improper privilege management. An attacker could exploit this vulnerability to achieve local privilege escalation

Privilege Escalation through SUID-bit Binary.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a privilege escalation vulnerability caused by improper privilege management in the SUID bit binary. An attacker could exploit this vulnerability to gain elevated privileges on the system

Protocol manipulation might lead to denial of service.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a denial-of-service vulnerability caused by an uncaught exception during protocol operation. An attacker could exploit this vulnerability to cause a denial-of-service attack

Vulnerable Upgrade Feature (Arbitrary File Write) may lead to obtaining super user permissions on board.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a privilege escalation vulnerability caused by an arbitrary file write flaw in the escalation feature. An attacker could exploit this vulnerability to gain escalated privileges on the system

A flaw has been found in Tenda CH22 1.0.0.1. Affected by this issue is the function fromNatStaticSetting of the file /goform/NatStaticSetting. Executing manipulation of the argument page can lead to buffer overflow. It is possible to launch the attack remotely. The exploit has been published and may be used. The Tenda CH22 is a network device manufactured by Tenda, a Chinese company. Version 1.0.0.1 of the Tenda CH22 contains a buffer overflow vulnerability. This vulnerability stems from the fact that the `page` parameter of the function `fromNatStaticSetting` in the file `/goform/NatStaticSetting` fails to properly validate the length of the input data. Attackers could exploit this vulnerability to execute arbitrary code on the system or cause a denial-of-service attack

Error Messages Wrapped In HTTP Header.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain an information disclosure vulnerability caused by an error message wrapped in the HTTP header. An attacker could exploit this vulnerability to obtain sensitive information

Weak Password Policy.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain a security vulnerability stemming from a weak password policy. Detailed vulnerability information is not currently available

Email Password Disclosure.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both network access controllers from Azure Access Technology, Inc., a US-based company. Both Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 contain an information disclosure vulnerability caused by improper authorization verification. An attacker could exploit this vulnerability to obtain email password information