VARIoT IoT vulnerabilities database

Fu Hong Technology Co., Ltd. was established in 1991, dedicated to the development and manufacture of "video surveillance system" and so on. Fortune Technology Co., Ltd. IP SURVEILLANCE has a weak password vulnerability, attackers can use the vulnerability to obtain sensitive information.

The HP LaserJet Pro MFP series printer is an all-in-one printer from Hewlett-Packard. HP LaserJet Pro MFP series printers have an unauthorized access vulnerability. Attackers can use this vulnerability to directly access the printer control interface without logging in.

Dell Unisphere for PowerMax versions prior to 9.2.1.6 contain an Authorization Bypass Vulnerability. A local authenticated malicious user with monitor role may exploit this vulnerability to perform unauthorized actions. Dell Unisphere for PowerMax Exists in a vulnerability related to incorrect resource movement between regions.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. DELL Dell EMC Unisphere for PowerMax is a set of graphical management tools for PowerMax storage arrays developed by Dell (DELL). A security vulnerability exists in PowerMax that could allow an attacker to bypass restrictions through Dell Unisphere's PowerMax monitoring role to escalate privileges

ACRN through 2.2 has a devicemodel/hw/pci/virtio/virtio.c NULL Pointer Dereference. ACRN is an open source virtual machine monitor for the Internet of Things. No detailed vulnerability details are currently provided

Askey Fiber Router RTF3505VW-N1 BR_SV_g000_R3505VWN1001_s32_7 devices allow Remote Code Execution and retrieval of admin credentials to log into the Dashboard or login via SSH, leading to code execution as root. Askey Fiber Router RTF3505VW-N1 BR_SV_g000_R3505VWN1001_s32_7 device Contains a code injection vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Askey is the world's largest professional manufacturer of international network communication equipment, and its main products include ADSL and Cable Modem, ADSL Router, Cable Router, etc. Askey fiber router unauthorized RCE vulnerability, unauthorized remote attackers can use this vulnerability to execute arbitrary commands on the target device

This vulnerability allows remote attackers to delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the MibController class. When parsing the realName parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-12122. Zero Day Initiative To this vulnerability ZDI-CAN-12122 Was numbered.Information is tampered with and denial of service (DoS) It may be put into a state. Netgear NETGEAR is a router made by Netgear. A hardware device that connects two or more networks, acting as a gateway between the networks

This vulnerability allows remote attackers to disclose sensitive information and delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ConfigFileController class. When parsing the realName parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose sensitive information or to create a denial-of-service condition on the system. Was ZDI-CAN-12125. NETGEAR ProSAFE Network Management System Contains a path traversal vulnerability. Zero Day Initiative To this vulnerability ZDI-CAN-12125 Was numbered.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Netgear NETGEAR is a router made by Netgear. A hardware device that connects two or more networks, acting as a gateway between the networks

This vulnerability allows remote attackers to delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ReportTemplateController class. When parsing the path parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-12123. Zero Day Initiative To this vulnerability ZDI-CAN-12123 Was numbered.Information is tampered with and denial of service (DoS) It may be put into a state

This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Authentication is not required to exploit this vulnerability. The specific flaw exists within the MFileUploadController class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-12124. Zero Day Initiative To this vulnerability ZDI-CAN-12124 Was numbered.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Netgear NETGEAR is a router made by Netgear. A hardware device that connects two or more networks, acting as a gateway between the networks

This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the SettingConfigController class. When parsing the fileName parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-12121. Zero Day Initiative To this vulnerability ZDI-CAN-12121 Was numbered.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Netgear NETGEAR is a router made by Netgear. A hardware device that connects two or more networks, acting as a gateway between the networks

wire-server is an open-source back end for Wire, a secure collaboration platform. In wire-server from version 2021-02-16 and before version 2021-03-02, the client metadata of all users was exposed in the `GET /users/list-clients` endpoint. The endpoint could be used by any logged in user who could request client details of any other user (no connection required) as far as they can find their User ID. The exposed metadata included id, class, type, location, time, and cookie. A user on a Wire backend could use this endpoint to find registration time and location for each device for a given list of users. As a workaround, remove `/list-clients` from nginx config. This has been fixed in version 2021-03-02. wire-server Contains an information disclosure vulnerability.Information may be obtained

An improper boundary check in DSP driver prior to SMR Mar-2021 Release 1 allows out of bounds memory access. DSP driver Is vulnerable to an out-of-bounds write.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Samsung DSP driver is a digital signal processing driver for Samsung mobile devices. Samsung DSP driver has an out-of-bounds write vulnerability, which is caused by incorrect boundary checking. Attackers can exploit this vulnerability to perform out-of-bounds memory access

Zhejiang Yushi Technology Co., Ltd. (abbreviated as: Yushi) was founded in 2011 and is a global public safety and intelligent transportation solution provider. Zhejiang Univision Technology Co., Ltd.'s transcoding server configuration management system has a weak password vulnerability. Attackers can use this vulnerability to log in to the background without authorization.

The 360 smart camera PTZ AI version standard AP2C is a device under the 360 smart home platform, which can help the owner realize real-time monitoring of the home situation. The 360 smart camera PTZ AI version standard AP2C has an unauthorized access vulnerability. Attackers can use this vulnerability to initiate control operations belonging to high-level shared users, such as switching the camera, setting the volume, and setting the AI function.

The business scope of China Mobile Communications Co., Ltd. includes: IP telephony business; Internet access service business, Internet backbone network data transmission business; engaged in the design of mobile communications, IP telephony, and Internet networks. The Mobaibox network set-top box has a logic flaw vulnerability, which can be exploited by attackers to obtain sensitive information.

Look at Xiaoxing. Smart cameras are important devices under the ZTE Smart Home Platform, which can help owners realize real-time monitoring of family conditions. Xiaoxing sees that there is an unauthorized access vulnerability in smart cameras. Attackers can use the vulnerability to obtain sensitive information and perform unauthorized operations.

Hikvision is a video-centric intelligent IoT solution and big data service provider. DS-8116HWS-SH and DS-7804N-E1/4N have weak password vulnerabilities, which can be exploited by attackers to obtain sensitive information.

Hikvision Streaming Media Management Server v2.3.5 uses default credentials that allow remote attackers to authenticate and access restricted functionality. After authenticating with these credentials, an attacker can exploit an arbitrary file read vulnerability in the /systemLog/downFile.php endpoint via directory traversal in the fileName parameter. This exploit chain can enable unauthorized access to sensitive system files. Hikvision is a video-centric intelligent IoT solution and big data service provider. The streaming media management server of Hangzhou Hikvision System Technology Co., Ltd. has a weak password vulnerability. Attackers can use the vulnerability to obtain sensitive information

Loading a DLL through an Uncontrolled Search Path Element in Bosch IP Helper up to and including version 1.00.0008 potentially allows an attacker to execute arbitrary code on a victim's system. A prerequisite is that the victim is tricked into placing a malicious DLL in the same application directory as the portable IP Helper application. Bosch IP Helper is an industrial control equipment of Bosch company in Germany. Universal discovery and network configuration tool for all Bosch IP Network Video products

Using unsafe PendingIntent in Samsung Notes prior to version 4.2.00.22 allows local attackers unauthorized action without permission via hijacking the PendingIntent. Samsung Notes Is vulnerable to incorrect default permissions.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state