VARIoT IoT vulnerabilities database

MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-17T02-33-02Z, there is a vulnerability which enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature. This is fixed in version RELEASE.2021-03-17T02-33-02Z. As a workaround one can avoid using "aws-chunked" encoding-based chunk signature upload requests instead use TLS. MinIO SDKs automatically disable chunked encoding signature when the server endpoint is configured with TLS. MinIO Contains a vulnerability related to improper enforcement of the integrity of messages being sent on a communication channel.Information may be tampered with

index.jsp in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a Stored cross-site scripting (XSS) vulnerability. Compass Plus e-Commerce Payment Gateway is an application interface of the Russian (Compass Plus) company. Provide an API interface for payment function

/exec in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a vulnerability in its XML parser. Compass Plus e-Commerce Payment Gateway is an application interface of the Russian (Compass Plus) company. Provide an API interface for payment function

On BIG-IP versions 14.1.4 and 16.0.1.1, when the Traffic Management Microkernel (TMM) process handles certain undisclosed traffic, it may start dropping all fragmented IP traffic. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. BIG-IP Contains an unspecified vulnerability.Denial of service (DoS) It may be put into a state. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. There is a security vulnerability in F5 BIG-IP TMM Fragmented IP Traffic Drop. Attackers can exploit this vulnerability to trigger a fatal error through F5 BIG-IP TMM Fragmented IP Traffic Drop, thereby triggering a denial of service

Changzhou Zhenming Electronic Technology Co., Ltd. was established on January 13, 2015. Legal representative Yuan Chunjuan, the company's business scope includes: electronic product research and development; new energy product technology development; electronic products and components, metal materials, mechanical equipment and accessories, hardware, etc. Changzhou Zhenming Electronic Technology Internet of Things smart street lamp integrated management platform has a logic flaw vulnerability, which can be used by attackers to obtain sensitive information.

The H3C GR2200 router is an enterprise-class router. The H3C GR2200 router has a weak password vulnerability. Attackers use this vulnerability to log in to the background of the system to obtain sensitive information.

Xiamen Baima Technology Co., Ltd. focuses on the Industrial Internet of Things (IIoT: Industrial Internet of Things), providing users with industrial-grade data collection, communication networking, cloud platforms and other intelligent products and solutions. The edge computing gateway BMG700 of Baima Technology has an information disclosure vulnerability. Attackers can use vulnerabilities to obtain sensitive information.

The H3C GR3200 router is a new generation of high-performance enterprise-class routers launched by H3C. The H3C GR3200 router has a weak password vulnerability. Attackers use this vulnerability to log in to the background of the system to obtain sensitive information.

Information Exposure vulnerability in Hitachi ABB Power Grids eSOMS allows unauthorized user to gain access to report data if the URL used to access the report is discovered. This issue affects: Hitachi ABB Power Grids eSOMS 6.0 versions prior to 6.0.4.2.2; 6.1 versions prior to 6.1.4; 6.3 versions prior to 6.3. ABB eSOMS (Electronic Shift Operations Management System) is a set of factory operation management system of Swiss ABB company

An improper access control vulnerability in the JWT plugin in Kong Gateway prior to 2.3.2.0 allows unauthenticated users access to authenticated routes without a valid token JWT. Kong Gateway is an API gateway of the Italian (Kong) company. A gateway is provided

MikroTik RouterOS 6.47.9 allows remote authenticated ftp users to create or overwrite arbitrary .rsc files via the /export command. NOTE: the vendor's position is that this is intended behavior because of how user policies work. ** Unsettled ** This case has not been confirmed as a vulnerability. MikroTik RouterOS Contains a command injection vulnerability. Vendors have challenged this vulnerability. For more information, please see below NVD of Current Description Please Confirm. https://nvd.nist.gov/vuln/detail/CVE-2021-27221Information is tampered with and denial of service (DoS) It may be put into a state. MikroTik RouterOS is a Linux-based router operating system developed by Latvian MikroTik Company. The system can be deployed in a PC so that it provides router functionality

AWK-1131A is an industrial-grade wireless AP. MOXA AWK-1131A has a command execution vulnerability, which can be exploited by attackers to execute malicious code.

Hisense Group Co., Ltd. is an electronic information industry group company. Hisense Ethernet Passive Optical Access User-End Equipment (EPON ONU) IP906H-FV1 has a denial of service vulnerability, which can be exploited by attackers to cause a denial of service.

A vulnerability in the web-based management interface of Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the device to restart unexpectedly. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a denial of service (DoS) condition on the affected device. Cisco RV132W ADSL2+ Wireless-N VPN Router and RV134W VDSL2 Wireless-AC VPN A stack-based buffer overflow vulnerability exists in the router.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state

Tianyi Gateway is a hardware terminal of "Optical Modem Smart Router". EPON Tianyi gateway has a denial of service vulnerability. Attackers can use this vulnerability to restart the device multiple times.

Cisco is the world's leading provider of network solutions. Cisco rv130w has command execution vulnerabilities. Attackers can gain system root privileges by constructing rop.

NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled. NATS Server and JWT library Contains an improper authentication vulnerability.Information may be obtained. NATS Server is an open source messaging system. The system is mainly used for cloud-native applications, IoT messaging, and microservice architecture. No detailed vulnerability details are currently provided

WebAccess/SCADA Versions 9.0 and prior is vulnerable to cross-site scripting, which may allow an attacker to send malicious JavaScript code to an unsuspecting user, which could result in hijacking of the user’s cookie/session tokens, redirecting the user to a malicious webpage and performing unintended browser actions. Advantech WebAccess/SCADA is a set of SCADA software based on browser architecture of Advantech. The software supports dynamic graphic display and real-time data control, and provides functions for remote control and management of automation equipment. Advantech WebAccess/SCADA 9.0 and earlier versions have cross-site scripting vulnerabilities

The Web CGI Script on ZyXEL LTE4506-M606 V1.00(ABDO.2)C0 devices does not require authentication, which allows remote unauthenticated attackers (via crafted JSON action data to /cgi-bin/gui.cgi) to use all features provided by the router. Examples: change the router password, retrieve the Wi-Fi passphrase, send an SMS message, or modify the IP forwarding to access the internal network. plural Zyxel The product is vulnerable to a lack of authentication for critical features.Information may be obtained and information may be tampered with

ZXHN F412 is a simple xPON HGU terminal used in FTTH scenarios. ZTE Corporation ZXHN F412 has a denial of service vulnerability, which can be exploited by attackers to cause a denial of service attack.