VARIoT IoT vulnerabilities database
| VAR-202012-1594 | No CVE | A remote stack overflow vulnerability exists in the monitoring configuration software of Zijin Bridge (CNVD-2020-59818) |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Zijinqiao monitoring configuration software is a professional Zijinqiao monitoring configuration software, adopts C/S architecture, has database processing technology and graphics system.
A remote stack overflow vulnerability exists in the monitoring configuration software of Zijin Bridge. Attackers can use vulnerabilities to cause web services to crash.
| VAR-202012-1597 | No CVE | Haiwell cloud configuration software Cloud SCADA has DLL hijacking vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Haiwell Cloud Configuration Software Cloud SCADA is an industrial automation monitoring and management platform software based on .NET Framework developed by Xiamen Haiwell Technology Co., Ltd.
Haiwell's cloud configuration software Cloud SCADA has a DLL hijacking vulnerability. Attackers can use this vulnerability to load malicious dlls and execute malicious codes.
| VAR-202012-1607 | No CVE | An information disclosure vulnerability exists in the monitoring configuration software of Zijinqiao (CNVD-2020-59819) |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Zijinqiao monitoring configuration software is a professional Zijinqiao monitoring configuration software, adopts C/S architecture, has database processing technology and graphics system.
An information disclosure vulnerability exists in the monitoring configuration software of Zijinqiao. Attackers can use vulnerabilities to obtain sensitive information.
| VAR-202012-1608 | No CVE | A denial of service vulnerability exists in the monitoring configuration software of Zijinqiao |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Zijinqiao monitoring configuration software is a professional Zijinqiao monitoring configuration software, adopts C/S architecture, has database processing technology and graphics system.
The Zijinqiao monitoring configuration software has a denial of service vulnerability. Attackers can use the vulnerability to cause the program to crash due to a null pointer reference during the running process.
| VAR-202012-1609 | No CVE | A remote stack overflow vulnerability exists in the monitoring configuration software of Zijinqiao |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Zijinqiao monitoring configuration software is a professional Zijinqiao monitoring configuration software, adopts C/S architecture, has database processing technology and graphics system.
A remote stack overflow vulnerability exists in the monitoring configuration software of Zijin Bridge. Attackers can use the vulnerability to cause the service to crash.
| VAR-202012-1531 | CVE-2020-6021 | Windows for Check Point Endpoint Security Client Vulnerability in Uncontrolled Search Path Elements |
CVSS V2: 4.4 CVSS V3: 7.8 Severity: HIGH |
Check Point Endpoint Security Client for Windows before version E84.20 allows write access to the directory from which the installation repair takes place. Since the MS Installer allows regular users to run the repair, an attacker can initiate the installation repair and place a specially crafted DLL in the repair folder which will run with the Endpoint client’s privileges. There is no relevant information about this vulnerability at present. Please pay attention to CNNVD or manufacturer announcements at any time
| VAR-202012-1439 | CVE-2020-6880 | ZXELINK wireless controller ZXV10 W908 In SQL Injection vulnerability |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
A ZXELINK wireless controller has a SQL injection vulnerability. A remote attacker does not need to log in. By sending malicious SQL statements, because the device does not properly filter parameters, successful use can obtain management rights. This affects: ZXV10 W908 all versions before MIPS_A_1022IPV6R3T6P7Y20. The vulnerability stems from the device's failure to filter parameters correctly
| VAR-202012-0387 | CVE-2020-26762 | Edimax IP-Camera IC-3116W and IC-3140W Out-of-bounds Vulnerability in Microsoft |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
A stack-based buffer-overflow exists in Edimax IP-Camera IC-3116W (v3.06) and IC-3140W (v3.07), which allows an unauthenticated, unauthorized attacker to perform remote-code-execution due to a crafted GET-Request. The overflow occurs in binary ipcam_cgi due to a missing type check in function doGetSysteminfo(). This has been fixed in version: IC-3116W v3.08. Edimax IP-Camera IC-3116W and IC-3140W Is vulnerable to an out-of-bounds write.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state
| VAR-202012-0062 | CVE-2020-14260 | HCL Domino Buffer Overflow Vulnerability in Linux |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
HCL Domino is susceptible to a Buffer Overflow vulnerability in DXL due to improper validation of user input. A successful exploit could enable an attacker to crash Domino or execute attacker-controlled code on the server system. HCL Domino Contains a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state
| VAR-202103-0172 | CVE-2020-15937 | FortiGate Cross-site Scripting Vulnerability |
CVSS V2: 4.3 CVSS V3: 6.1 Severity: MEDIUM |
An improper neutralization of input vulnerability in FortiGate version 6.2.x below 6.2.5 and 6.4.x below 6.4.1 may allow a remote attacker to perform a stored cross site scripting attack (XSS) via the IPS and WAF logs dashboard. FortiGate Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Fortinet FortiGate is a network security platform developed by Fortinet. The platform provides functions such as firewall, antivirus and intrusion prevention (IPS), application control, antispam, wireless controller and WAN acceleration. FortiGate has a cross-site scripting vulnerability, which can be exploited by an attacker to trigger cross-site scripting through FortiGate's log reporting section to run JavaScript code in the context of a web site
| VAR-202012-1499 | CVE-2020-8539 | Kia Motors Head Unit Inappropriate Default Permission Vulnerability |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
Kia Motors Head Unit with Software version: SOP.003.30.18.0703, SOP.005.7.181019, and SOP.007.1.191209 may allow an attacker to inject unauthorized commands, by executing the micomd executable deamon, to trigger unintended functionalities. In addition, this executable may be used by an attacker to inject commands to generate CAN frames that are sent into the M-CAN bus (Multimedia CAN bus) of the vehicle. Kia Motors Head Unit Is vulnerable to incorrect default permissions.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state
| VAR-202011-1597 | No CVE | Linksys RE6500 unauthorized RCE vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
RE6500 is a table/wall-mounted WiFi signal extender launched by Linksys, which specializes in network products.
Linksys RE6500 unauthorized RCE vulnerability, an attacker can use the vulnerability to gain control of the server.
| VAR-202011-1594 | No CVE | Jike software medical equipment third-party logistics collaboration platform has a universal password login vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Jiangsu Jike Software Co., Ltd. was established on March 6, 2007. The company's business scope includes: software design, research and development, sales, logistics information service platform services; technical services and technical consultations in the field of Internet of Things; mechanical and electrical equipment sales, etc.
Jike software medical equipment third-party logistics collaboration platform has a universal password login vulnerability, which can be used by attackers to obtain sensitive information in the database.
| VAR-202011-1595 | No CVE | Jike software medical equipment third-party logistics collaboration platform has SQL injection vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Jiangsu Jike Software Co., Ltd. was established on March 6, 2007. The company's business scope includes: software design, research and development, sales, logistics information service platform services; technical services and technical consultations in the field of Internet of Things; mechanical and electrical equipment sales, etc.
There is a SQL injection vulnerability in the third-party logistics collaboration platform of Jike Software Medical Equipment, which can be used by attackers to obtain sensitive database information.
| VAR-202011-1527 | No CVE | A SQL injection vulnerability exists in the management platform of the public security bureau’s Internet service business premises (CNVD-2020-60078) |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Harbin Zhonglong Baiying Technology Development Co., Ltd. was established on May 29, 2013, mainly engaged in computer software and hardware, office automation equipment, security equipment, etc.
The public security bureau's online service business site management platform has a SQL injection vulnerability, which can be exploited by attackers to obtain sensitive database information.
| VAR-202011-1528 | No CVE | An SQL injection vulnerability exists in the management platform of the Public Security Bureau’s Internet service business premises |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Harbin Zhonglong Baiying Technology Development Co., Ltd. was established on May 29, 2013, mainly engaged in computer software and hardware, office automation equipment, security equipment, etc.
The public security bureau's online service business site management platform has a SQL injection vulnerability, which can be exploited by attackers to obtain sensitive database information.
| VAR-202011-1529 | No CVE | A SQL injection vulnerability exists in the management platform of the public security bureau’s online service business premises (CNVD-2020-60076) |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Harbin Zhonglong Baiying Technology Development Co., Ltd. was established on May 29, 2013, mainly engaged in computer software and hardware, office automation equipment, security equipment, etc.
The public security bureau's online service business site management platform has a SQL injection vulnerability, which can be exploited by attackers to obtain sensitive database information.
| VAR-202011-1531 | No CVE | A SQL injection vulnerability exists in the management platform of the public security bureau’s Internet service business premises (CNVD-2020-60077) |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Harbin Zhonglong Baiying Technology Development Co., Ltd. was established on May 29, 2013, mainly engaged in computer software and hardware, office automation equipment, security equipment, etc.
The public security bureau's online service business site management platform has a SQL injection vulnerability, which can be exploited by attackers to obtain sensitive database information.
| VAR-202012-1273 | CVE-2020-4129 | HCL Domino Vulnerability in |
CVSS V2: 5.0 CVSS V3: 5.3 Severity: MEDIUM |
HCL Domino is susceptible to a lockout policy bypass vulnerability in the LDAP service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the LDAP service. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later
| VAR-202011-1215 | CVE-2020-4127 | HCL Domino Cross Site Request Forgery Vulnerability |
CVSS V2: 4.3 CVSS V3: 6.5 Severity: MEDIUM |
HCL Domino is susceptible to a Login CSRF vulnerability. With a valid credential, an attacker could trick a user into accessing a system under another ID or use an intranet user's system to access internal systems from the internet. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later. HCL Domino Contains a cross-site request forgery vulnerability.Information may be obtained