VARIoT IoT vulnerabilities database

A vulnerability in the web-based user interface (web UI) of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to bypass access control restrictions on an affected device. The vulnerability is due to the presence of a proxy service at a specific endpoint of the web UI. An attacker could exploit this vulnerability by connecting to the proxy service. An exploit could allow the attacker to bypass access restrictions on the network by proxying their access request through the management network of the affected device. As the proxy is reached over the management virtual routing and forwarding (VRF), this could reduce the effectiveness of the bypass. Cisco IOS XE The software contains a vulnerability in privilege management.Information may be tampered with

A vulnerability in the web-based user interface (web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker with administrative privileges to read arbitrary files on the underlying filesystem of the device. The vulnerability is due to insufficient file scope limiting. An attacker could exploit this vulnerability by creating a specific file reference on the filesystem and then accessing it through the web UI. An exploit could allow the attacker to read arbitrary files from the underlying operating system's filesystem. Cisco IOS XE The software contains a link interpretation vulnerability.Information may be obtained

A vulnerability in the web-based user interface (web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker with read-only privileges to inject IOS commands to an affected device. The injected commands should require a higher privilege level in order to be executed. The vulnerability is due to insufficient input validation of specific HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a specific web UI endpoint on an affected device. A successful exploit could allow the attacker to inject IOS commands to the affected device, which could allow the attacker to alter the configuration of the device or cause a denial of service (DoS) condition. (DoS) It may be put into a state. Cisco IOS XE is an operating system developed by Cisco for its network equipment

A vulnerability in the authorization controls for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software could allow an unauthenticated, remote attacker to execute Cisco IOx API commands without proper authorization. The vulnerability is due to incorrect handling of requests for authorization tokens. An attacker could exploit this vulnerability by using a crafted API call to request such a token. An exploit could allow the attacker to obtain an authorization token and execute any of the IOx API commands on an affected device. Cisco IOS XE The software contains vulnerabilities related to unauthorized authentication.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Cisco IOS XE is an operating system developed by Cisco for its network equipment

A vulnerability in Role Based Access Control (RBAC) functionality of Cisco IOS XE Web Management Software could allow a Read-Only authenticated, remote attacker to execute commands or configuration changes as an Admin user. The vulnerability is due to incorrect handling of RBAC for the administration GUI. An attacker could exploit this vulnerability by sending a modified HTTP request to the affected device. An exploit could allow the attacker as a Read-Only user to execute CLI commands or configuration changes as if they were an Admin user. Cisco IOS XE Exists in a fraudulent authentication vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Cisco IOS XE is an operating system developed by Cisco for its network equipment

A vulnerability in the web-based Local Manager interface of the Cisco IOx Application Framework could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based Local Manager interface of an affected device. The attacker must have valid Local Manager credentials. The vulnerability is due to insufficient validation of user-supplied input by the web-based Local Manager interface of the affected software. An attacker could exploit this vulnerability by injecting malicious code into a system settings tab. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web interface or allow the attacker to access sensitive browser-based information. Cisco IOx A cross-site scripting vulnerability exists in the application framework.Information may be obtained and tampered with. Cisco Iox is a secure development environment of the US Cisco (Cisco) that combines Cisco IOS and Linux OS for secure network connection and development of IOT applications. The vulnerability is caused by incorrectly verifying the input provided by the user

A vulnerability in the Cisco Application Framework component of the Cisco IOx application environment could allow an authenticated, local attacker to overwrite arbitrary files in the virtual instance that is running on the affected device. The vulnerability is due to insufficient path restriction enforcement. An attacker could exploit this vulnerability by including a crafted file in an application package. An exploit could allow the attacker to overwrite files. Cisco IOx The application contains a link interpretation vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Cisco Iox is a secure development environment of the US Cisco (Cisco) that combines Cisco IOS and Linux OS for secure network connection and development of IOT applications

A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain and modify sensitive information that is stored in the underlying database. Cisco Prime Infrastructure Software is a set of basic network life cycle management solutions of Cisco (Cisco). The product integrates Cisco Prime LAN Management Solution (LMS) and Cisco Prime Network Control System (NCS)

A vulnerability in the syslog processing engine of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a race condition that may occur when syslog messages are processed. An attacker could exploit this vulnerability by sending a high rate of syslog messages to an affected device. A successful exploit could allow the attacker to cause the Application Server process to crash, resulting in a DoS condition. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies

A vulnerability in the Secure Shell (SSH) server code of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause an affected device to reload. The vulnerability is due to an internal state not being represented correctly in the SSH state machine, which leads to an unexpected behavior. An attacker could exploit this vulnerability by creating an SSH connection to an affected device and using a specific traffic pattern that causes an error condition within that connection. A successful exploit could allow an attacker to cause the device to reload, resulting in a denial of service (DoS) condition. Cisco IOS and IOS XE An interpretation conflict vulnerability exists in the software.Service operation interruption (DoS) It may be in a state

A vulnerability in the Tool Command Language (Tcl) interpreter of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, local attacker with privileged EXEC credentials to cause a denial of service (DoS) condition on an affected system. The vulnerability is due to insufficient input validation of data passed to the Tcl interpreter. An attacker could exploit this vulnerability by executing crafted Tcl arguments on an affected device. An exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition

A vulnerability in the Simple Network Management Protocol (SNMP) implementation in Cisco ASR 920 Series Aggregation Services Router model ASR920-12SZ-IM could allow an authenticated, remote attacker to cause the device to reload. The vulnerability is due to incorrect handling of data that is returned for Cisco Discovery Protocol queries to SNMP. An attacker could exploit this vulnerability by sending a request for Cisco Discovery Protocol information by using SNMP. An exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition

D-Link DIR-865L Ax Beta A cross-site request forgery vulnerability exists in the device.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. D-Link DIR-865L is a wireless router from D-Link, Taiwan. A remote attacker can use the malformed HTTP request to exploit the vulnerability to perform illegal operations

Huawei Smartphones HONOR 20 PRO;Honor View 20;HONOR 20 have an improper handling of exceptional condition Vulnerability. A component cannot deal with an exception correctly. Attackers can exploit this vulnerability by sending malformed message. This could compromise normal service of affected phones. are all smartphones of the Chinese company Huawei. The vulnerability stems from the failure of the phone to properly handle exceptions

A vulnerability in the virtual console authentication of Cisco IOS Software for Cisco 809 and 829 Industrial Integrated Services Routers (Industrial ISRs) and Cisco 1000 Series Connected Grid Routers (CGR1000) could allow an authenticated but low-privileged, local attacker to log in to the Virtual Device Server (VDS) of an affected device by using a set of default credentials. The vulnerability is due to the presence of weak, hard-coded credentials. An attacker could exploit this vulnerability by authenticating to the targeted device and then connecting to VDS through the device’s virtual console by using the static credentials. A successful exploit could allow the attacker to access the Linux shell of VDS as the root user. Cisco IOS The software contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Cisco 1000 Series Connected Grid Routers (CGR1000) is a 1000 series Internet Grid Router from Cisco

Multiple vulnerabilities in the Cisco IOx application environment of Cisco 809 and 829 Industrial Integrated Services Routers (Industrial ISRs) and Cisco 1000 Series Connected Grid Routers (CGR1000) that are running Cisco IOS Software could allow an attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco IOS The software contains an input verification vulnerability.Information is tampered with and service operation is interrupted (DoS) It may be put into a state. are all products of the United States Cisco (Cisco) company. Cisco 1000 Series Connected Grid Routers is a 1000 series Internet grid router. Cisco IOS Software is a set of software developed for its network equipment running on it. An attacker can use this vulnerability to execute arbitrary code with higher authority

D-Link DIR-865L Ax 1.20B01 Beta devices allow Command Injection. D-Link DIR-865L On the device OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. D-Link DIR-865L is a wireless router from D-Link, Taiwan. An attacker can use the vulnerability to execute arbitrary shell commands by sending a specially crafted request

A vulnerability in the CLI parsers of Cisco IOS Software for Cisco 809 and 829 Industrial Integrated Services Routers (Industrial ISRs) and Cisco 1000 Series Connected Grid Routers (CGR1000) could allow an authenticated, local attacker to execute arbitrary shell commands on the Virtual Device Server (VDS) of an affected device. The attacker must have valid user credentials at privilege level 15. The vulnerability is due to insufficient validation of arguments that are passed to specific VDS-related CLI commands. An attacker could exploit this vulnerability by authenticating to the targeted device and including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands in the context of the Linux shell of VDS with the privileges of the root user. Cisco IOS The software OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Cisco IOS is a set of operating systems developed by Cisco in the United States for its network equipment

A vulnerability in the implementation of the inter-VM channel of Cisco IOS Software for Cisco 809 and 829 Industrial Integrated Services Routers (Industrial ISRs) and Cisco 1000 Series Connected Grid Routers (CGR1000) could allow an unauthenticated, adjacent attacker to execute arbitrary shell commands on the Virtual Device Server (VDS) of an affected device. The vulnerability is due to insufficient validation of signaling packets that are destined to VDS. An attacker could exploit this vulnerability by sending malicious packets to an affected device. A successful exploit could allow the attacker to execute arbitrary commands in the context of the Linux shell of VDS with the privileges of the root user. Because the device is designed on a hypervisor architecture, exploitation of a vulnerability that affects the inter-VM channel may lead to a complete system compromise. For more information about this vulnerability, see the Details section of this advisory. Cisco IOS The software contains an input verification vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Cisco 809 Industrial Integrated Services Routers, etc. are all products of the United States Cisco (Cisco) company. Cisco 1000 Series Connected Grid Routers is a 1000 series Internet grid router. Cisco IOS Software is a set of software developed for its network equipment running on it. Cisco 809 Industrial ISRs, 829 Industrial ISRs, and IOS Software's inter-VM channel in CGR1000 have input verification error vulnerabilities

Multiple vulnerabilities in Cisco IOS Software for Cisco 809 and 829 Industrial Integrated Services Routers (Industrial ISRs) and Cisco 1000 Series Connected Grid Routers (CGR1000) could allow an unauthenticated, remote attacker or an authenticated, local attacker to execute arbitrary code on an affected system or cause an affected system to crash and reload. For more information about these vulnerabilities, see the Details section of this advisory. Cisco IOS The software contains a buffer error vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Cisco 809 Industrial Integrated Services Routers, etc. are all products of the United States Cisco (Cisco) company. Cisco 809 Industrial Integrated Services Routers is an industrial integrated multi-service router. Cisco 829 Industrial Integrated Services Routers is an industrial integrated multi-service router. Cisco 1000 Series Connected Grid Routers is a 1000 series Internet grid router. Cisco IOS Software is a set of software developed for its network equipment running on it. The Cisco 809 Industrial ISRs, 829 Industrial ISRs, and the IOS Software diagnostic check CLI command in CGR1000 have a buffer overflow vulnerability. An attacker can use the vulnerability to execute arbitrary code by performing identity verification and sending diagnostic detection commands