VARIoT IoT vulnerabilities database

Missing access control restrictions in the Hypervisor component of the ACRN Project (v2.0 and v1.6.1) allow a malicious entity, with root access in the Service VM userspace, to abuse the PCIe assign/de-assign Hypercalls via crafted ioctls and payloads. This attack results in a corrupt state and Denial of Service (DoS) for previously assigned PCIe devices to the Service VM at runtime. ACRN Project There is an unspecified vulnerability in.Service operation interruption (DoS) It may be put into a state. ACRN is an open source virtual machine monitor for the Internet of Things. A security vulnerability exists in the Hypervisor component of the ACRN project

Improper Privilege Management vulnerability exists in Schneider Electric Modbus Serial Driver (see security notification for versions) which could cause local privilege escalation when the Modbus Serial Driver service is invoked. The driver does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. (DoS) It may be put into a state. Schneider Electric Modbus Serial Driver is a serial driver of French Schneider Electric (Schneider Electric)

The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.2 and earlier (for ESP32 devices) does not properly restrict the channel map field of the connection request packet on reception, allowing attackers in radio range to cause a denial of service (crash) via a crafted packet. ESP-IDF Is vulnerable to input validation.Denial of service (DoS) It may be put into a state. Espressif ESP-IDF is a development framework for the Internet of Things of China Espressif. Espressif ESP-IDF 4.2 and earlier versions have security vulnerabilities. Attackers use specially crafted data packets to cause denial of service

ABB (China) Co., Ltd. is committed to providing solutions for customers in the industrial, energy, power, transportation and construction industries. The ABB industrial robot teach pendant has an encryption algorithm vulnerability. Attackers can use the loopholes to crack the user password of ABB industrial robots.

DIGISOL provides a complete integrated communication system solution. 1GE+WIFI router has command execution vulnerability. Attackers can log in to the background with a weak password and execute commands remotely.

Advantech WebAccess/SCADA is a set of SCADA software based on browser architecture. Advantech WebAccess/SCADA has an information disclosure vulnerability. Attackers can use vulnerabilities to obtain remote connection passwords, background administrator passwords and other sensitive information.

Advantech WebAccess/SCADA is a set of SCADA software based on browser architecture. Advantech WebAccess/SCADA has a command execution vulnerability. Attackers can use the vulnerability to execute console commands.

Advantech WebAccess/SCADA is a set of SCADA software based on browser architecture. Advantech WebAccess/SCADA has an information disclosure vulnerability. Attackers can use vulnerabilities to obtain remote connection passwords, background administrator passwords and other sensitive information.

Advantech WebAccess/SCADA is a set of SCADA software based on browser architecture. Advantech WebAccess/SCADA has logic flaws. Attackers can use the vulnerability to access and modify the registry of the user's system, and can execute arbitrary commands on the user's system.

Advantech WebAccess/SCADA is a set of SCADA software based on browser architecture. Advantech WebAccess/SCADA has a command execution vulnerability. Attackers can use the vulnerability to execute console commands.

Advantech WebAccess/SCADA is a set of SCADA software based on browser architecture. Advantech WebAccess/SCADA has a command execution vulnerability. Attackers can use the vulnerability to execute console commands.

Advantech WebAccess/SCADA is a set of SCADA software based on browser architecture. Advantech WebAccess/SCADA has logic flaws. Attackers can use the vulnerability to access and modify the registry of the user's system, and can execute arbitrary commands on the user's system.

Advantech WebAccess/SCADA is a set of SCADA software based on browser architecture. Advantech WebAccess/SCADA has a command execution vulnerability. Attackers can use the vulnerability to execute console commands.

Advantech WebAccess/SCADA is a set of SCADA software based on browser architecture. Advantech WebAccess/SCADA has an arbitrary file deletion vulnerability. Attackers can use vulnerabilities to delete arbitrary files.

Advantech WebAccess/SCADA is a set of SCADA software based on browser architecture. Advantech WebAccess/SCADA has an arbitrary file deletion vulnerability. Attackers can use vulnerabilities to delete arbitrary files.

Cross-site request forgery (CSRF) vulnerability in NETGEAR switching hubs (GS716Tv2 Firmware version 5.4.2.30 and earlier, and GS724Tv3 Firmware version 5.4.2.30 and earlier) allow remote attackers to hijack the authentication of administrators and alter the settings of the device via unspecified vectors. NETGEAR Switching hub provided by GS716Tv2 and GS724Tv3 Is a cross-site request forgery vulnerability (CWE-352) Exists. This vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : Reii Yano MrIf a user who is logged in to the management screen of the product accesses a specially crafted page, the settings of the product may be changed unintentionally

An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1. plural WSO2 The product contains unspecified vulnerabilities.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. There are security vulnerabilities in WSO2 products, which originate from the ability of Carbon management console to send cookie information to attackers. There is a security vulnerability in WSO2 products

An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1. plural WSO2 The product contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. There is a cross-site scripting vulnerability in WSO2 products, which is caused by the lack of correct verification of client data in WEB applications. An attacker can use this vulnerability to execute client code

Chengdu Feiyuxing Technology Co., Ltd. is a company dedicated to providing intelligent and easy-to-use network communication products and services, continuously improving the quality of network use through innovative technologies, and cooperating with users to create an intelligent and humanized network management platform. Feiyuxing home smart router has an unauthorized access vulnerability, which can be exploited by attackers to obtain sensitive information.

Modicon M580 is a programmable logic controller introduced by Schneider Electric. Schneider Electric Modicon M580 has an information disclosure vulnerability. Attackers can use the vulnerability to obtain arbitrary memory data.