VARIoT IoT vulnerabilities database
| VAR-202110-1631 | CVE-2021-37734 | Aruba Instant path traversal vulnerability |
CVSS V2: 4.0 CVSS V3: 6.5 Severity: MEDIUM |
A remote unauthorized read access to files vulnerability was discovered in Aruba Instant version(s): 6.4.x.x: 6.4.4.8-4.2.4.18 and below; Aruba Instant 6.5.x.x: 6.5.4.19 and below; Aruba Instant 8.5.x.x: 8.5.0.12 and below; Aruba Instant 8.6.x.x: 8.6.0.11 and below; Aruba Instant 8.7.x.x: 8.7.1.3 and below; Aruba Instant 8.8.x.x: 8.8.0.0 and below. Aruba has released patches for Aruba Instant (IAP) that address this security vulnerability. Provides the only Wi-Fi solution that is easy to set up.
Aruba Instant has a path traversal vulnerability, which stems from an input validation error when processing a directory traversal sequence in the instant command line interface. An attacker can use the vulnerability to view the contents of any file on the system
| VAR-202110-0993 | CVE-2021-38434 | FATEK Automation WinProladder Unexpected sign extension vulnerability in |
CVSS V2: 6.8 CVSS V3: 7.8 Severity: HIGH |
FATEK Automation WinProladder versions 3.30 and prior lacks proper validation of user-supplied data when parsing project files, which could result in an unexpected sign extension. An attacker could leverage this vulnerability to execute arbitrary code. (DoS) It may be in a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of PDW files. An unexpected sign extension can result in a write outside the bounds of an allocated buffer. FATEK Automation WinProladder is a PLC of China FATEK Automation Company
| VAR-202110-0961 | CVE-2021-38472 | InHand Networks IR615 Router Vulnerability in improperly limiting rendered user interface layers or frames in |
CVSS V2: 4.3 CVSS V3: 4.7 Severity: MEDIUM |
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 management portal does not contain an X-FRAME-OPTIONS header, which an attacker may take advantage of by sending a link to an administrator that frames the router’s management portal and could lure the administrator to perform changes. InHand Networks IR615 Router Contains a vulnerability regarding improper restrictions on rendered user interface layers or frames.Information may be tampered with. Ruimu Technology IR615 Router is a 4G industrial router of China Ruimu Technology Company
| VAR-202110-0963 | CVE-2021-38468 | InHand Networks IR615 Router Cross-site scripting vulnerability in |
CVSS V2: 3.5 CVSS V3: 4.8 Severity: MEDIUM |
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to stored cross-scripting, which may allow an attacker to hijack sessions of users connected to the system. InHand Networks IR615 Router Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Ruimu Technology IR615 Router is a 4G industrial router of China Ruimu Technology Company
| VAR-202110-0991 | CVE-2021-38438 | FATEK Automation WinProladder Resource Management Error Vulnerability |
CVSS V2: 6.8 CVSS V3: 7.8 Severity: HIGH |
A use after free vulnerability in FATEK Automation WinProladder versions 3.30 and prior may be exploited when a valid user opens a malformed project file, which may allow arbitrary code execution. FATEK Automation WinProladder Exists in a vulnerability related to the use of freed memory.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Fatek Automation WinProladder. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of PDW files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. FATEK Automation WinProladder is a PLC of China FATEK Automation company
| VAR-202110-1663 | CVE-2021-37735 | Aruba Instant Format string error vulnerability |
CVSS V2: 5.0 CVSS V3: 5.3 Severity: MEDIUM |
A remote denial of service vulnerability was discovered in Aruba Instant version(s): Aruba Instant 6.5.x.x: 6.5.4.18 and below; Aruba Instant 8.5.x.x: 8.5.0.10 and below; Aruba Instant 8.6.x.x: 8.6.0.4 and below. Aruba has released patches for Aruba Instant (IAP) that address this security vulnerability
| VAR-202110-0958 | CVE-2021-38480 | IR615 Router cross-site request forgery vulnerability |
CVSS V2: 9.3 CVSS V3: 8.8 Severity: HIGH |
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to cross-site request forgery when unauthorized commands are submitted from a user the web application trusts. This may allow an attacker to remotely perform actions on the router’s management portal, such as making configuration changes, changing administrator credentials, and running system commands on the router. (DoS) It may be in a state. Ruimu Technology IR615 Router is a 4G industrial router of China Ruimu Technology Company.
IR615 Router has a cross-site request forgery vulnerability
| VAR-202110-0960 | CVE-2021-38474 | InHand Networks IR615 Router Vulnerability in improperly limiting excessive authentication attempts in |
CVSS V2: 5.0 CVSS V3: 9.8 Severity: CRITICAL |
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 have has no account lockout policy configured for the login page of the product. This may allow an attacker to execute a brute-force password attack with no time limitation and without harming the normal operation of the user. This could allow an attacker to gain valid credentials for the product interface. InHand Networks IR615 Router Is vulnerable to improper restrictions on excessive authentication attempts.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Ruimu Technology IR615 Router is a 4G industrial router of China Ruimu Technology Company
| VAR-202110-0964 | CVE-2021-38466 | IR615 Router Cross-Site Scripting Vulnerability |
CVSS V2: 4.3 CVSS V3: 6.1 Severity: MEDIUM |
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 do not perform sufficient input validation on client requests from the help page. This may allow an attacker to perform a reflected cross-site scripting attack, which could allow an attacker to run code on behalf of the client browser. InHand Networks IR615 Router Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Ruimu Technology IR615 Router is a 4G industrial router of China Ruimu Technology Company
| VAR-202110-0443 | CVE-2021-38478 | InHand Networks IR615 Router In OS Command injection vulnerability |
CVSS V2: 6.5 CVSS V3: 9.1 Severity: CRITICAL |
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to an attacker using a traceroute tool to inject commands into the device. This may allow the attacker to remotely run commands on behalf of the device. InHand Networks IR615 Router for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Ruimu Technology IR615 Router is a 4G industrial router of China Ruimu Technology Company.
IR615 Router has operating system command injection vulnerability
| VAR-202110-1633 | CVE-2021-37730 | Aruba Instant operating system command injection vulnerability |
CVSS V2: 9.0 CVSS V3: 7.2 Severity: HIGH |
A remote arbitrary command execution vulnerability was discovered in HPE Aruba Instant (IAP) version(s): Aruba Instant 6.4.x.x: 6.4.4.8-4.2.4.18 and below; Aruba Instant 6.5.x.x: 6.5.4.20 and below; Aruba Instant 8.5.x.x: 8.5.0.12 and below; Aruba Instant 8.6.x.x: 8.6.0.11 and below; Aruba Instant 8.7.x.x: 8.7.1.3 and below. Aruba has released patches for Aruba Instant (IAP) that address this security vulnerability. HPE Aruba Instant (IAP) for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Provides the only Wi-Fi solution that is easy to set up. Remotely authenticated attackers can use this vulnerability to upgrade privileges on the system
| VAR-202110-1635 | CVE-2021-37726 | Aruba Instant Classic buffer overflow vulnerability in |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
A remote buffer overflow vulnerability was discovered in HPE Aruba Instant (IAP) version(s): Aruba Instant 8.7.x.x: 8.7.0.0 through 8.7.1.2. Aruba has released patches for Aruba Instant (IAP) that address this security vulnerability. Aruba Instant Exists in a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Provides the only Wi-Fi solution that is easy to set up. A remote attacker can use this vulnerability to execute arbitrary code on the target system
| VAR-202110-0966 | CVE-2021-38462 | InHand Networks IR615 Router Vulnerability in requesting weak passwords in |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 does not enforce an efficient password policy. This may allow an attacker with obtained user credentials to enumerate passwords and impersonate other application users and perform operations on their behalf. InHand Networks IR615 Router contains a weak password requirement vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Ruimu Technology IR615 Router is a 4G industrial router of China Ruimu Technology Company.
IR615 Router has a security vulnerability
| VAR-202110-1632 | CVE-2021-37732 | Aruba Instant command injection vulnerability (CNVD-2021-89450) |
CVSS V2: 9.0 CVSS V3: 7.2 Severity: HIGH |
A remote arbitrary command execution vulnerability was discovered in HPE Aruba Instant (IAP) version(s): Aruba Instant 6.4.x.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x.x: 6.5.4.18 and below; Aruba Instant 8.5.x.x: 8.5.0.11 and below; Aruba Instant 8.6.x.x: 8.6.0.6 and below; Aruba Instant 8.7.x.x: 8.7.1.0 and below. Aruba has released patches for Aruba Instant (IAP) that address this security vulnerability. Provides the only Wi-Fi solution that is easy to set up.
Aruba Instant has a command injection vulnerability, which is caused by incorrect input validation in the web interface. Attackers use the vulnerability to send elaborate HTTP requests to the application and execute arbitrary OS commands on the target system
| VAR-202110-0990 | CVE-2021-38440 | FATEK Automation WinProladder Out-of-bounds read vulnerability in |
CVSS V2: 4.3 CVSS V3: 3.3 Severity: LOW |
FATEK Automation WinProladder versions 3.30 and prior is vulnerable to an out-of-bounds read, which may allow an attacker to read unauthorized information. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Fatek Automation WinProladder. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of PDW files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. FATEK Automation WinProladder is a PLC of China FATEK Automation Company
| VAR-202110-0128 | CVE-2020-4654 | IBM Sterling File Gateway Vulnerability in |
CVSS V2: 4.0 CVSS V3: 6.5 Severity: MEDIUM |
IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could allow an authenticated user to obtain sensitive information due to improper permission control. IBM X-Force ID: 186090. IBM Sterling File Gateway There is an unspecified vulnerability in. Vendor exploits this vulnerability IBM X-Force ID: 186090 It is published as.Information may be obtained
| VAR-202110-0178 | CVE-2021-25498 | Samsung Notes Security hole |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
A possible buffer overflow vulnerability in maetd_eco_cb_mode of libSPenBase library of Samsung Notes prior to Samsung Notes version 4.3.02.61 allows arbitrary code execution
| VAR-202110-0172 | CVE-2021-25492 | Samsung Notes Buffer error vulnerability |
CVSS V2: 3.6 CVSS V3: 7.1 Severity: HIGH |
Lack of boundary checking of a buffer in libSPenBase library of Samsung Notes prior to Samsung Note version 4.3.02.61 allows OOB read
| VAR-202110-0176 | CVE-2021-25496 | Samsung Notes Security hole |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
A possible buffer overflow vulnerability in maetd_dec_slice of libSPenBase library of Samsung Notes prior to Samsung Notes version 4.3.02.61 allows arbitrary code execution
| VAR-202110-0177 | CVE-2021-25497 | Samsung Notes Security hole |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
A possible buffer overflow vulnerability in maetd_cpy_slice of libSPenBase library of Samsung Notes prior to Samsung Notes version 4.3.02.61 allows arbitrary code execution