VARIoT IoT vulnerabilities database

DIR-816 750M11AC wireless router is a wireless router of DEXUN Electronic Equipment (Shanghai) Co., Ltd. The DIR-816 750M11AC wireless router has a command execution vulnerability. Attackers can use this vulnerability to execute commands remotely.

ZTE Corporation is the world's leading provider of integrated communications solutions. ZTE Corporation ZXHN F427 has an unauthorized access vulnerability. Attackers can use the vulnerability to obtain sensitive information.

Mi Router 4A Gigabit Edition is a gigabit router of Xiaomi Technology Co., Ltd. Mi Router 4A Gigabit Edition has a denial of service vulnerability, which can be exploited by attackers to cause a denial of service.

Shenzhen Jixiang Tengda Technology Co., Ltd. is a high-tech enterprise integrating independent research and development, production and sales of network equipment. Shenzhen Jixiang Tengda Technology Co., Ltd. 11AC 1200MBPS wireless panel AP has a command execution vulnerability. Attackers can use this vulnerability to execute system commands.

Chengdu Zhifeng Technology Co., Ltd. was established in October 2016. It is an emerging high-tech company integrating R&D, production and sales. An unauthorized access vulnerability exists in the enterprise router of Chengdu Zhifeng Technology Co., Ltd., which can be exploited by attackers to obtain sensitive information.

Established in September 2000, China Telecom is a large-scale state-owned communications company in China and a global partner of the Shanghai World Expo. It has been selected as one of the "Fortune 500 Companies" for many consecutive years. China Telecom Tianyi Kandian camera has an information disclosure vulnerability, which can be exploited by attackers to obtain sensitive information.

TL-WR845N is a router from Prolink Technology Co., Ltd. TL-WR845N has a weak password vulnerability, which can be exploited by attackers to obtain sensitive information.

Hikvision is a video-centric IoT solution provider, providing comprehensive security, smart business and big data services. Hikvision's video and environmental integrated monitoring and management system has an arbitrary file download vulnerability, which can be exploited by attackers to obtain sensitive information.

Hikvision is a video-centric IoT solution provider, providing comprehensive security, smart business and big data services. Hikvision's video and environmental integrated monitoring and management system has an arbitrary password reset vulnerability, which can be exploited by attackers to affect the integrity of the system.

Seiko Cloud MES is mainly aimed at on-site management of small and medium-sized manufacturing workshops. Based on the industrial Internet, microservices, cloud computing, Internet of Things, and big data technology architecture, it provides low-cost, fast deployment, and easy-to-operate SAAS applications. Guangdong Jinggong Intelligent System Co., Ltd. Jinggong Cloud MES has a SQL injection vulnerability. Attackers can use the vulnerability to obtain sensitive information in the database.

Chengdu Feiyuxing Technology Co., Ltd. was established in 2002 and was listed in 2014 (stock code: 831002). It is headquartered in Chengdu Tianfu Software Park. It is one of the few local companies in the industry with independent intellectual property rights and independent research and development capabilities. A high-tech enterprise focusing on product innovation and research and development in the data communication industry and the Internet of Things industry. Feiyuxing router WEB configuration system has a weak password vulnerability, which can be exploited by attackers to obtain sensitive information.

An issue was dicovered in vtiger crm 7.2. Union sql injection in the calendar exportdata feature. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information

MERCUSYS Mercury X18G 1.0.5 devices allow Denial of service via a crafted value to the POST listen_http_lan parameter. Upon subsequent device restarts after this vulnerability is exploted the device will not be able to access the webserver unless the listen_http_lan parameter to uhttpd.json is manually fixed

Cross site Scripting (XSS) vulnerability in MERCUSYS Mercury X18G 1.0.5 devices, via crafted values to the 'src_dport_start', 'src_dport_end', and 'dest_port' parameters

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007. GNU Wget is a set of free software developed by the GNU Project (Gnu Project Development) for downloading on the Internet. It supports downloading through the three most common TCP/IP protocols: HTTP, HTTPS and FTP. There is a security vulnerability in GNU Wget 1.21.1 and earlier versions. The vulnerability is caused by not ignoring Authorization when redirecting to a different source

Century Star configuration software is an intelligent human-machine interface (HMI) software system developed on a PC. Century Star configuration software V9.1 has a directory traversal vulnerability, which can be exploited by attackers to obtain sensitive information.

Runshen Information Technology (Shanghai) Co., Ltd. is a company engaged in technology development in the fields of information technology, cloud computing, and Internet of Things technology. Runshen Information Technology (Shanghai) Co., Ltd. enterprise standardization management system has a SQL injection vulnerability. Attackers can use the vulnerability to obtain sensitive database information.

Runshen Information Technology (Shanghai) Co., Ltd. is a company engaged in technology development in the fields of information technology, cloud computing, and Internet of Things technology. Runshen Information Technology (Shanghai) Co., Ltd. enterprise standardization management system has a SQL injection vulnerability. Attackers can use the vulnerability to obtain sensitive database information.

This vulnerability could allow an attacker to send malicious Javascript code resulting in hijacking of the user’s cookie/session tokens, redirecting the user to a malicious webpage, and performing unintended browser action. Advantech Provided by the company WebAccess/HMI Designer Is Human Machine Interface (HMI) Design software. WebAccess/HMI Designer The following multiple vulnerabilities exist in. * Heap-based buffer overflow (CWE-122) - CVE-2021-33000 ‥ * Out-of-bounds writing (CWE-787) - CVE-2021-33002 ‥ * Buffer error (CWE-119) - CVE-2021-33004 ‥ * Use of freed memory (Use-after-free) (CWE-416) - CVE-2021-42706 ‥ * Cross-site scripting (CWE-79) - CVE-2021-42703The expected impact depends on each vulnerability, but it may be affected as follows. * Project files specially crafted by the attacker (PLF File, SNF File, PM3 File ) Will execute arbitrary code on the system - CVE-2021-33000 , CVE-2021-33002 , CVE-2021-33004 ‥ * Information is stolen or arbitrary code is executed by a third party - CVE-2021-42706 ‥ * Crafted by a remote third party Javascript When the code is sent to the product, it can hijack the user's authentication token, redirect the user to a malicious web page, and perform unintended browser operations. - CVE-2021-42703. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess/HMI Designer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of PM3 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. The product has functions such as data transfer, menu editing and text editing. This vulnerability stems from the software's lack of effective filtering and escaping of parameters submitted by users

This vulnerability could allow an attacker to disclose information and execute arbitrary code on affected installations of WebAccess/MHI Designer. Advantech Provided by the company WebAccess/HMI Designer Is Human Machine Interface (HMI) Design software. WebAccess/HMI Designer The following multiple vulnerabilities exist in. * Heap-based buffer overflow (CWE-122) - CVE-2021-33000 ‥ * Out-of-bounds writing (CWE-787) - CVE-2021-33002 ‥ * Buffer error (CWE-119) - CVE-2021-33004 ‥ * Use of freed memory (Use-after-free) (CWE-416) - CVE-2021-42706 ‥ * Cross-site scripting (CWE-79) - CVE-2021-42703The expected impact depends on each vulnerability, but it may be affected as follows. * Project files specially crafted by the attacker (PLF File, SNF File, PM3 File ) Will execute arbitrary code on the system - CVE-2021-33000 , CVE-2021-33002 , CVE-2021-33004 ‥ * Information is stolen or arbitrary code is executed by a third party - CVE-2021-42706 ‥ * Crafted by a remote third party Javascript When the code is sent to the product, it can hijack the user's authentication token, redirect the user to a malicious web page, and perform unintended browser operations. - CVE-2021-42703. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of PM3 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. The product has functions such as data transfer, menu editing and text editing. Advantech WebAccess HMI Designer versions prior to 2.1.11.0 have a resource management error vulnerability, which originates from a reuse-after-release problem in the software