VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-202011-1531 No CVE A SQL injection vulnerability exists in the management platform of the public security bureau’s Internet service business premises (CNVD-2020-60077) CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
Harbin Zhonglong Baiying Technology Development Co., Ltd. was established on May 29, 2013, mainly engaged in computer software and hardware, office automation equipment, security equipment, etc. The public security bureau's online service business site management platform has a SQL injection vulnerability, which can be exploited by attackers to obtain sensitive database information.
VAR-202012-1273 CVE-2020-4129 HCL Domino  Vulnerability in CVSS V2: 5.0
CVSS V3: 5.3
Severity: MEDIUM
HCL Domino is susceptible to a lockout policy bypass vulnerability in the LDAP service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the LDAP service. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later
VAR-202011-1215 CVE-2020-4127 HCL Domino  Cross Site Request Forgery Vulnerability CVSS V2: 4.3
CVSS V3: 6.5
Severity: MEDIUM
HCL Domino is susceptible to a Login CSRF vulnerability. With a valid credential, an attacker could trick a user into accessing a system under another ID or use an intranet user's system to access internal systems from the internet. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later. HCL Domino Contains a cross-site request forgery vulnerability.Information may be obtained
VAR-202012-1272 CVE-2020-4128 HCL Domino  Authentication vulnerabilities in CVSS V2: 5.0
CVSS V3: 5.3
Severity: MEDIUM
HCL Domino is susceptible to a lockout policy bypass vulnerability in the ID Vault service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the ID Vault service. HCL Domino Contains an authentication vulnerability.Information may be obtained
VAR-202011-0485 CVE-2020-16849 Canon MF237w  Vulnerability in CVSS V2: 5.0
CVSS V3: 7.5
Severity: HIGH
An issue was discovered on Canon MF237w 06.07 devices. An "Improper Handling of Length Parameter Inconsistency" issue in the IPv4/ICMPv4 component, when handling a packet sent by an unauthenticated network attacker, may expose Sensitive Information. Canon MF237w Contains an unspecified vulnerability.Information may be obtained. i-SENSYS MF237w is a four-in-one multifunction laser printer suitable for small offices launched by Canon. There is an information disclosure vulnerability in i-SENSYS MF237w 06.07. An attacker could exploit this vulnerability to obtain sensitive information by sending a specially crafted packet
VAR-202012-1399 CVE-2020-9116 Huawei FusionCompute  Command injection vulnerability CVSS V2: 6.5
CVSS V3: 7.2
Severity: HIGH
Huawei FusionCompute versions 6.5.1 and 8.0.0 have a command injection vulnerability. An authenticated, remote attacker can craft specific request to exploit this vulnerability. Due to insufficient verification, this could be exploited to cause the attackers to obtain higher privilege. Huawei FusionCompute Contains a command injection vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Both Huawei FusionCompute and Huawei FusionCompute are products of the Chinese company Huawei. FusionCompute is a computer virtualization engine. The product provides Virtual Resource Manager (VRM) and Compute Node Agent (CNA), etc. Huawei FusionCompute is a software for virtualization support. The software is a virtualization engine that provides virtualization support for cloud hosts
VAR-202012-1397 CVE-2020-9114 FusionCompute  Vulnerability in privilege management CVSS V2: 7.2
CVSS V3: 7.8
Severity: HIGH
FusionCompute versions 6.3.0, 6.3.1, 6.5.0, 6.5.1 and 8.0.0 have a privilege escalation vulnerability. Due to improper privilege management, an attacker with common privilege may access some specific files and get the administrator privilege in the affected products. Successful exploit will cause privilege escalation. FusionCompute Contains a privilege management vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Huawei FusionCompute is a computer virtualization engine developed by Huawei in China. The product provides Virtual Resource Manager (VRM) and Compute Node Agent (CNA), etc. FusionCompute has a permission permission and access control issue vulnerability. The vulnerability stems from improper permission management. The following products and versions are affected: Version 6.3.0, Version 6.3.1, Version 6.5.0, Version 6.5.1, Version 8.0.0
VAR-202011-1470 CVE-2020-8351 Lenovo PCManager  Vulnerability in privilege management CVSS V2: 4.6
CVSS V3: 7.8
Severity: HIGH
A privilege escalation vulnerability was reported in Lenovo PCManager prior to version 3.0.50.9162 that could allow an authenticated user to execute code with elevated privileges. Lenovo PCManager Contains a privilege management vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Lenovo Lenovo Pcmanager (Lenovo Computer Manager) is a software from China Lenovo Company that can comprehensively manage PC devices
VAR-202011-0782 CVE-2020-27660 Synology SafeAccess  In  SQL  Injection vulnerability CVSS V2: 10.0
CVSS V3: 9.8
Severity: CRITICAL
SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3-0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter. Synology SafeAccess Has SQL An injection vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Synology SafeAccess is a device from China Synology Technology Co., Ltd. that can configure the security of the network environment. The device can monitor users' Internet behavior, set Internet schedules and time quotas, apply web filters to protect specific users, and protect all devices on the local network by blocking dangerous websites
VAR-202011-0781 CVE-2020-27659 Synology SafeAccess  Cross-site Scripting Vulnerability CVSS V2: 3.5
CVSS V3: 4.8
Severity: MEDIUM
Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAccess before 1.2.3-0234 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) profile parameter. Synology SafeAccess Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Synology SafeAccess is a device from China Synology Technology Co., Ltd. that can configure the security of the network environment. The device can monitor users' Internet behavior, set Internet schedules and time quotas, apply web filters to protect specific users, and protect all devices on the local network by blocking dangerous websites
VAR-202011-1514 No CVE ASUS RT-AC5300 and RT-AC1200 have binary vulnerabilities CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
ASUS was established in June 2000, and its business scope: R&D and manufacturing of notebook computers, computer motherboards, medium-sized mainframes, high-end personal computers, servers, etc. ASUS RT-AC5300 and RT-AC1200 have a binary vulnerability that can be exploited by attackers to cause a denial of service.
VAR-202011-1518 No CVE Lilin NVR104 has an information disclosure vulnerability CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
NVR104 is a standalone NVR video recorder launched by Liling, which supports up to 4 channels of IP network cameras. Lilin NVR104 has an information disclosure vulnerability. Attackers can use vulnerabilities to obtain sensitive information.
VAR-202011-1520 No CVE Lilin NVR104 NTP component has remote code execution vulnerability CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
NVR104 is a standalone NVR video recorder launched by Liling, which supports up to 4 channels of IP network cameras. Lilin NVR104 has a remote code execution vulnerability. Attackers can use vulnerabilities to gain control of NVR equipment.
VAR-202011-1526 No CVE Rockchip kernel has a denial of service vulnerability CVSS V2: 4.9
CVSS V3: -
Severity: MEDIUM
Rockchip Microelectronics Co., Ltd. has a R&D team specializing in system-level chip design and algorithm research, providing professional chip solutions for high-end smart hardware, mobile phone peripherals, tablet computers, TV set-top boxes, industrial control and other fields. Rockchip Kernel has a denial of service vulnerability. An attacker can use this vulnerability to cause a denial of service.
VAR-202011-1515 No CVE Tianqing security isolation and information exchange system background sh***.php interface has arbitrary file reading vulnerabilities CVSS V2: 2.1
CVSS V3: -
Severity: LOW
Tianqing Security Isolation and Information Exchange System is an access control switch device with network isolation technology independently developed by Venustech Information Technology Co., Ltd., which provides high-security isolation protection for key data. The backend sh***.php interface of Tianqing Security Isolation and Information Exchange System has arbitrary file reading vulnerabilities. Attackers can use this vulnerability to read arbitrary files in the system.
VAR-202011-1516 No CVE Any file reading vulnerability exists in the pr***.php interface of the Tianqing security isolation and information exchange system background CVSS V2: 2.1
CVSS V3: -
Severity: LOW
Tianqing Security Isolation and Information Exchange System is an access control switch device with network isolation technology independently developed by Venustech Information Technology Co., Ltd., which provides high-security isolation protection for key data. The pr***.php interface of the Tianqing security isolation and information exchange system has arbitrary file reading vulnerabilities. Attackers can use this vulnerability to read arbitrary files in the system.
VAR-202011-1530 No CVE Rockchip has an out-of-bounds read vulnerability CVSS V2: 7.2
CVSS V3: -
Severity: HIGH
Rockchip Microelectronics Co., Ltd. has a R&D team specializing in system-level chip design and algorithm research, providing professional chip solutions for high-end smart hardware, mobile phone peripherals, tablet computers, TV set-top boxes, industrial control and other fields. Rockchip has an out-of-bounds read vulnerability. Attackers can use this vulnerability to execute arbitrary code.
VAR-202011-1535 No CVE Advantech WebAccess/SCADA has an arbitrary file deletion vulnerability (CNVD-2020-58465) CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Advantech WebAccess/SCADA is a set of SCADA software based on browser architecture. Advantech WebAccess/SCADA has an arbitrary file deletion vulnerability. Attackers can use vulnerabilities to delete arbitrary files.
VAR-202011-1537 No CVE Advantech WebAccess/SCADA has an arbitrary file deletion vulnerability (CNVD-2020-58469) CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Advantech WebAccess/SCADA is a set of SCADA software based on browser architecture. Advantech WebAccess/SCADA has an arbitrary file deletion vulnerability. Attackers can use vulnerabilities to delete arbitrary files.
VAR-202011-1538 No CVE Advantech WebAccess/SCADA has an arbitrary file deletion vulnerability (CNVD-2020-58462) CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Advantech WebAccess/SCADA is a set of SCADA software based on browser architecture. Advantech WebAccess/SCADA has an arbitrary file deletion vulnerability. Attackers can use vulnerabilities to delete arbitrary files.