VARIoT IoT vulnerabilities database

Glewlwyd 2.0.0, fixed in 2.6.1 is affected by an incorrect access control vulnerability. One user can attempt to log in as another user without its password. Glewlwyd There is an authentication vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Glewlwyd is a server for single sign-on server, OAuth2, OpenidConnect, multi-factor authentication, HOTP/TOTP, FIDO2, TLS certificates, etc., which can be extended through plugins Glewlwyd has an access control vulnerability, which is related to the logical judgment of the affected version. An attacker can exploit this vulnerability to obtain account information

Trendnet AC2600 TEW-827DRU version 2.08B01 makes use of hardcoded credentials. It is possible to backup and restore device configurations via the management web interface. These devices are encrypted using a hardcoded password of "12345678". Trendnet AC2600 TEW-827DRU Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Trendnet AC2600 TEW-827DRU is a wireless router

It is possible for an unauthenticated, malicious user to force the device to reboot due to a hidden administrative command. TEW-827DRU There are unspecified vulnerabilities in the firmware.Service operation interruption (DoS) It may be in a state. Trendnet AC2600 TEW-827DRU is a wireless router

Quagga Services on D-Link DIR-2640 less than or equal to version 1.11B02 use default hard-coded credentials, which can allow a remote attacker to gain administrative access to the zebra or ripd those services. Both are running with root privileges on the router (i.e., as the "admin" user, UID 0). D-Link DIR-2640 Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. D-Link DIR-2640 is a high-power Wi-Fi router from D-Link, a Taiwanese company

Trendnet AC2600 TEW-827DRU version 2.08B01 is vulnerable to command injection. The system log functionality of the firmware allows for command injection as root by supplying a malformed parameter. Trendnet AC2600 TEW-827DRU for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Trendnet AC2600 TEW-827DRU is a wireless router

Netgear RAX43 version 1.0.3.96 does not utilize secure communications to the web interface. By default, all communication to/from the device is sent via HTTP, which causes potentially sensitive information (such as usernames and passwords) to be transmitted in cleartext. Netgear RAX43 Contains a vulnerability in the transmission of important information in clear text.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Netgear RAX43 is a wireless router from Netgear. No detailed vulnerability details are currently provided

Quagga Services on D-Link DIR-2640 less than or equal to version 1.11B02 are affected by an absolute path traversal vulnerability that allows a remote, authenticated attacker to set the "message of the day" banner to any file on the system, allowing them to read all or some of the contents of those files. Such sensitive information as hashed credentials, hardcoded plaintext passwords for other services, configuration files, and private keys can be disclosed in this fashion. Improper handling of filenames that identify virtual resources, such as "/dev/urandom" allows an attacker to effect a denial of service attack against the command line interfaces of the Quagga services (zebra and ripd). D-Link DIR-2640 Exists in a past traversal vulnerability.Information is obtained and service operation is interrupted (DoS) It may be in a state. D-Link DIR-2640 is a high-power Wi-Fi router from D-Link, a Taiwanese company. D-Link DIR-2640 has a security vulnerability, which can be exploited by remote attackers to submit special requests and read the contents of system files in the context of the application

Netgear RAX43 version 1.0.3.96 contains a command injection vulnerability. The readycloud cgi application is vulnerable to command injection in the name parameter. (DoS) It may be in a state. Netgear RAX43 is a wireless router from Netgear. No detailed vulnerability details are currently available

Trendnet AC2600 TEW-827DRU version 2.08B01 leaks information via the ftp web page. Usernames and passwords for all ftp users are revealed in plaintext on the ftpserver.asp page. Trendnet AC2600 TEW-827DRU There are vulnerabilities in inadequate protection of credentials.Information may be obtained. Trendnet AC2600 TEW-827DRU is a wireless router

Netgear RAX43 version 1.0.3.96 does not have sufficient protections to the UART interface. A malicious actor with physical access to the device is able to connect to the UART port via a serial connection, login with default credentials, and execute commands as the root user. These default credentials are admin:admin. Netgear RAX43 There is an authentication vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Netgear RAX43 is a wireless router from Netgear. No detailed vulnerability details are currently available

Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses credentials for the smb functionality of the device. Usernames and passwords for all smb users are revealed in plaintext on the smbserver.asp page. Trendnet AC2600 TEW-827DRU There are vulnerabilities in inadequate protection of credentials.Information may be obtained. Trendnet AC2600 TEW-827DRU is a wireless router. An information disclosure vulnerability exists in the Trendnet AC2600 TEW-827DRU that stems from failing to properly disclose credentials for the device's smb capabilities. An attacker can exploit the vulnerability to display the username and password of all mb users in clear text on the mbserver.asp page

Trendnet AC2600 TEW-827DRU version 2.08B01 contains an security flaw in the web interface. HTTPS is not enabled on the device by default. This results in cleartext transmission of sensitive information such as passwords. Trendnet AC2600 TEW-827DRU is a wireless router

Netgear Nighthawk R6700 version 1.0.4.120 does not utilize secure communication methods to the web interface. By default, all communication to/from the device's web interface is sent via HTTP, which causes potentially sensitive information (such as usernames and passwords) to be transmitted in cleartext. Netgear Nighthawk R6700 Contains a vulnerability in the transmission of important information in clear text.Information may be obtained. Netgear Nighthawk R6700 is a wireless router from Netgear. An attacker can obtain sensitive information through this vulnerability

Trendnet AC2600 TEW-827DRU version 2.08B01 contains a symlink vulnerability in the bittorrent functionality. If enabled, the bittorrent functionality is vulnerable to a symlink attack that could lead to remote code execution on the device. If an end user inserts a flash drive with a malicious symlink on it that the bittorrent client can write downloads to, then a user is able to download arbitrary files to any desired location on the devices filesystem, which could lead to remote code execution. Example directories vulnerable to this include "config", "downloads", and "torrents", though it should be noted that "downloads" is the only vector that allows for arbitrary files to be downloaded to arbitrary locations. Trendnet AC2600 TEW-827DRU Exists in a link interpretation vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Trendnet AC2600 TEW-827DRU is a wireless router

Netgear RAX43 version 1.0.3.96 makes use of hardcoded credentials. It does not appear that normal users are intended to be able to manipulate configuration backups due to the fact that they are encrypted. This encryption is accomplished via a password-protected zip file with a hardcoded password (RAX50w!a4udk). By unzipping the configuration using this password, a user can reconfigure settings not intended to be manipulated, re-zip the configuration, and restore a backup causing these settings to be changed. Netgear RAX43 Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Netgear RAX43 is a wireless router from Netgear. No detailed vulnerability details are currently provided

Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. Authentication can be bypassed and a user may view information as Admin by manually browsing to the setup wizard and forcing it to redirect to the desired page. Trendnet AC2600 TEW-827DRU There is a vulnerability in the lack of authentication for critical features.Information may be obtained. Trendnet AC2600 TEW-827DRU is a wireless router

Netgear Nighthawk R6700 version 1.0.4.120 makes use of a hardcoded credential. It does not appear that normal users are intended to be able to manipulate configuration backups due to the fact that they are encrypted/obfuscated. By extracting the configuration using readily available public tools, a user can reconfigure settings not intended to be manipulated, repackage the configuration, and restore a backup causing these settings to be changed. Netgear Nighthawk R6700 Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Netgear Nighthawk R6700 is a wireless router from Netgear. The Netgear Nighthawk R6700 has an encryption issue vulnerability that stems from the product not effectively encrypting configuration files

Netgear RAX43 version 1.0.3.96 stores sensitive information in plaintext. All usernames and passwords for the device's associated services are stored in plaintext on the device. For example, the admin password is stored in plaintext in the primary configuration file on the device. Netgear RAX43 is a wireless router from Netgear. No detailed vulnerability details are currently available

All known versions of the Netgear Genie Installer for macOS contain a local privilege escalation vulnerability. The installer of the macOS version of Netgear Genie handles certain files in an insecure way. A malicious actor who has local access to the endpoint on which the software is going to be installed may overwrite certain files to obtain privilege escalation to root. (DoS) It may be in a state. Netgear genie is a program from Netgear that presents itself as a dashboard

An insufficient session expiration vulnerability in the CGI program of the Zyxel NBG6604 firmware could allow a remote attacker to access the device if the correct token can be intercepted. Zyxel NBG6604 A session expiration vulnerability exists in firmware.Information may be obtained and information may be tampered with. The Zyxel NBG6604 is a dual-band wireless router from China's Zyxel Technology (Zyxel). No detailed vulnerability details are currently provided