VARIoT IoT vulnerabilities database
| VAR-202102-1279 | CVE-2021-26563 | Synology DiskStation Manager Authentication Vulnerability in Microsoft |
CVSS V2: 4.6 CVSS V3: 6.7 Severity: MEDIUM |
Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors. Synology DiskStation Manager (DSM) Contains an improper authentication vulnerability.Information may be obtained. Pillow is a Python-based image processing library.
There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Synology DiskStation Manager (DSM) is an operating system for network storage servers (NAS) developed by Synology, Taiwan. The operating system can manage data, documents, photos, music and other information
| VAR-202102-1278 | CVE-2021-26562 | Synology DiskStation Manager Out-of-bounds Vulnerability in Microsoft |
CVSS V2: 6.8 CVSS V3: 8.1 Severity: HIGH |
Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header. Synology DiskStation Manager (DSM) Is vulnerable to an out-of-bounds write.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library.
There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Synology DiskStation Manager (DSM) is an operating system for network storage servers (NAS) developed by Synology, Taiwan. The operating system can manage data, documents, photos, music and other information
| VAR-202102-1277 | CVE-2021-26561 | Synology DiskStation Manager Buffer Error Vulnerability |
CVSS V2: 6.8 CVSS V3: 8.1 Severity: HIGH |
Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header. Synology DiskStation Manager (DSM) Is vulnerable to a buffer error.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library.
There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Synology DiskStation Manager (DSM) is an operating system for network storage servers (NAS) developed by Synology, Taiwan. The operating system can manage data, documents, photos, music and other information
| VAR-202102-1276 | CVE-2021-26560 | Synology DiskStation Manager Vulnerability in plaintext transmission of important information in |
CVSS V2: 5.8 CVSS V3: 7.4 Severity: HIGH |
Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session. Pillow is a Python-based image processing library.
There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Synology DiskStation Manager (DSM) is an operating system for network storage servers (NAS) developed by Synology, Taiwan. The operating system can manage data, documents, photos, music and other information. There is a security vulnerability in Synology DiskStation Manager (DSM) before 6.2.3-25426-3
| VAR-202102-1231 | CVE-2021-26567 | faad2 Vulnerability in |
CVSS V2: 6.5 CVSS V3: 7.8 Severity: HIGH |
Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options. faad2 Contains an unspecified vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Synology DiskStation Manager (DSM) is an operating system for network storage servers (NAS) developed by Synology, Taiwan. The operating system can manage data, documents, photos, music and other information
| VAR-202102-1230 | CVE-2021-26566 | Synology DiskStation Manager Information Disclosure Vulnerability |
CVSS V2: 6.8 CVSS V3: 9.0 Severity: CRITICAL |
Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic. Synology DiskStation Manager (DSM) Contains an information disclosure vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library.
There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Synology DiskStation Manager (DSM) is an operating system for network storage servers (NAS) developed by Synology, Taiwan. The operating system can manage data, documents, photos, music and other information. There is a security vulnerability in Synology DiskStation Manager before 6.2.3-25426-3
| VAR-202102-1229 | CVE-2021-26565 | Synology DiskStation Manager Vulnerability in plaintext transmission of important information in |
CVSS V2: 4.3 CVSS V3: 5.9 Severity: MEDIUM |
Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session. Pillow is a Python-based image processing library.
There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Synology DiskStation Manager (DSM) is an operating system for network storage servers (NAS) developed by Synology, Taiwan. The operating system can manage data, documents, photos, music and other information. There is a security vulnerability in Synology DiskStation Manager before 6.2.3-25426-3
| VAR-202102-1228 | CVE-2021-26564 | Synology DiskStation Manager Vulnerability in plaintext transmission of important information in |
CVSS V2: 5.8 CVSS V3: 8.7 Severity: HIGH |
Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session. Pillow is a Python-based image processing library.
There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Synology DiskStation Manager (DSM) is an operating system for network storage servers (NAS) developed by Synology, Taiwan. The operating system can manage data, documents, photos, music and other information. There is a security vulnerability in Synology DiskStation Manager before 6.2.3-25426-3. This vulnerability is caused by a vulnerability in the transmission of sensitive information in plaintext. Attackers can use this vulnerability to deceive the server through HTTP sessions
| VAR-202103-0945 | CVE-2021-27254 | NETGEAR R7800 Vulnerability in using hard-coded passwords in |
CVSS V2: 8.3 CVSS V3: 8.8 Severity: HIGH |
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7800. Authentication is not required to exploit this vulnerability. The specific flaw exists within the apply_save.cgi endpoint. This issue results from the use of hard-coded encryption key. An attacker can leverage this vulnerability to execute arbitrary code in the context of root. Was ZDI-CAN-12287. Zero Day Initiative To this vulnerability ZDI-CAN-12287 Was numbered.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state
| VAR-202103-0510 | CVE-2021-22638 | Fatek Automation FvDesigner FPJ File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
CVSS V2: 6.8 CVSS V3: 7.8 Severity: HIGH |
Fatek FvDesigner Version 1.5.76 and prior is vulnerable to an out-of-bounds read while processing project files, allowing an attacker to craft a special project file that may permit arbitrary code execution. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Fatek Automation FvDesigner. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of FPJ files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Fatek FvDesigner is a software tool for designing and developing FATEK FV HMI series product projects
| VAR-202103-0439 | CVE-2021-22683 | Fatek Automation FvDesigner FPJ File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
CVSS V2: 6.8 CVSS V3: 7.8 Severity: HIGH |
Fatek FvDesigner Version 1.5.76 and prior is vulnerable to an out-of-bounds write while processing project files, allowing an attacker to craft a special project file that may permit arbitrary code execution. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Fatek Automation FvDesigner. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of FPJ files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Fatek FvDesigner is a software tool for designing and developing FATEK FV HMI series product projects
| VAR-202103-0434 | CVE-2021-22662 | Fatek Automation FvDesigner FPJ File Parsing Use-After-Free Remote Code Execution Vulnerability |
CVSS V2: 6.8 CVSS V3: 7.8 Severity: HIGH |
A use after free issue has been identified in Fatek FvDesigner Version 1.5.76 and prior in the way the application processes project files, allowing an attacker to craft a special project file that may permit arbitrary code execution. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Fatek Automation FvDesigner. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of FPJ files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Fatek FvDesigner is a software tool for designing and developing FATEK FV HMI series product projects.
The way Fatek FvDesigner 1.5.76 and earlier versions handle project files has a reuse vulnerability after release
| VAR-202103-0437 | CVE-2021-22670 | Fatek Automation FvDesigner FPJ File Parsing Uninitialized Pointer Remote Code Execution Vulnerability |
CVSS V2: 6.8 CVSS V3: 7.8 Severity: HIGH |
An uninitialized pointer may be exploited in Fatek FvDesigner Version 1.5.76 and prior while the application is processing project files, allowing an attacker to craft a special project file that may permit arbitrary code execution. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Fatek Automation FvDesigner. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of FPJ files. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Fatek FvDesigner is a software tool for designing and developing FATEK FV HMI series product projects
| VAR-202103-0436 | CVE-2021-22666 | Fatek Automation FvDesigner FPJ File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability |
CVSS V2: 6.8 CVSS V3: 7.8 Severity: HIGH |
Fatek FvDesigner Version 1.5.76 and prior is vulnerable to a stack-based buffer overflow while project files are being processed, allowing an attacker to craft a special project file that may permit arbitrary code execution. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Fatek Automation FvDesigner. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of FPJ files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Fatek FvDesigner is a software tool for designing and developing FATEK FV HMI series product projects
| VAR-202102-1601 | No CVE | China Mobile Internet of Things Co., Ltd. CMCC R3S-3 has a command execution vulnerability (CNVD-2021-05104) |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
CMCC R3S-3 is a router.
China Mobile Internet of Things Co., Ltd. CMCC R3S-3 has a command execution vulnerability. Attackers can use the vulnerability to perform remote code execution as root on the device.
| VAR-202102-1602 | No CVE | China Mobile Internet of Things Co., Ltd. CMCC R3S-3 has a command execution vulnerability (CNVD-2021-05105) |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
CMCC R3S-3 is a router.
China Mobile Internet of Things Co., Ltd. CMCC R3S-3 has a command execution vulnerability. Attackers can use the vulnerability to perform remote code execution as root on the device.
| VAR-202102-1603 | No CVE | China Mobile Internet of Things Co., Ltd. CMCC R3S-3 has a command execution vulnerability (CNVD-2021-05107) |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
CMCC R3S-3 is a router.
China Mobile Internet of Things Co., Ltd. CMCC R3S-3 has a command execution vulnerability. Attackers can use the vulnerability to perform remote code execution as root on the device.
| VAR-202102-1604 | No CVE | China Mobile Internet of Things Co., Ltd. CMCC R3S-3 has logic flaws and vulnerabilities |
CVSS V2: 3.3 CVSS V3: - Severity: LOW |
CMCC R3S-3 is a router.
China Mobile Internet of Things Co., Ltd. CMCC R3S-3 has logic flaws and vulnerabilities. An attacker can use the vulnerability to remotely modify the password of the management terminal.
| VAR-202102-1605 | No CVE | China Mobile Internet of Things Co., Ltd. CMCC R3S-3 has an unauthorized access vulnerability |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
CMCC R3S-3 is a router.
China Mobile Internet of Things Co., Ltd. CMCC R3S-3 has an unauthorized access vulnerability. An attacker can use the vulnerability to remotely open telnet and obtain the telnet password.
| VAR-202102-1571 | No CVE | Ruijie Networks Co., Ltd. has a weak password vulnerability in the login area of network equipment |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Ruijie Networks Co., Ltd. is a professional network manufacturer with a full range of network equipment product lines and solutions including switches, routers, software, security firewalls, wireless products, and storage.
A weak password vulnerability exists in the login area of Ruijie Networks Co., Ltd. network equipment. Attackers can use this vulnerability to log in to the system and obtain sensitive information.