VARIoT IoT vulnerabilities database

Zelio Soft 2 is a small intelligent controller programming software. Zelio Soft 2 of Schneider Electric Co., Ltd. has a dll hijacking vulnerability. An attacker can use this vulnerability to load a malicious dll and execute malicious code.

CRLF injection vulnerability in Network Center in Synology Router Manager (SRM) before 1.2.3-8017-2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted network traffic. Synology Router Manager (SRM) Exists in an out-of-bounds read vulnerability.Service operation interruption (DoS) It may be put into a state. Synology Router Manager (SRM) is a software for configuring and managing Synology routers developed by Synology, Taiwan. A buffer error vulnerability exists in Network Center in versions earlier than Synology SRM 1.2.3-8017-2

Dell Client platforms restored using a Dell OS recovery image downloaded before December 20, 2019, may contain an insecure inherited permissions vulnerability. A local authenticated malicious user with low privileges could exploit this vulnerability to gain unauthorized access on the root folder. Dell OS recovery image Exists in a fraudulent authentication vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state

TP-Link Omada Controller Software 3.2.6 allows Directory Traversal for reading arbitrary files via com.tp_link.eap.web.portal.PortalController.getAdvertiseFile in /opt/tplink/EAPController/lib/eap-web-3.2.6.jar. TP-Link Omada Controller Software is a set of software supported by China Pulian (TP-Link) company to manage wireless access points. Attackers can use this vulnerability to read arbitrary files by using com.tp_link.eap.web.portal.PortalController.getAdvertiseFile in /opt/tplink/EAPController/lib/eap-web-3.2.6.jar

Certain TP-Link devices allow Command Injection. This affects NC200 2.1.9 build 200225, NC210 1.0.9 build 200304, NC220 1.3.0 build 200304, NC230 1.3.0 build 200304, NC250 1.3.0 build 200304, NC260 1.5.2 build 200304, and NC450 1.5.3 build 200304. plural TP-Link On the device OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. TP-LINK is a brand owned by Pulian Technology Co., Ltd., established in 1996, is specialized in network and communication terminal The industry's mainstream manufacturers of R&D, manufacturing and marketing of terminal equipment. The TP-LINK Cloud Cameras NCXXX series has an authorized RCE vulnerability. An attacker can use this vulnerability to use the default credentials admin:admin to execute arbitrary commands as root

Certain TP-Link devices have a Hardcoded Encryption Key. This affects NC200 2.1.9 build 200225, N210 1.0.9 build 200304, NC220 1.3.0 build 200304, NC230 1.3.0 build 200304, NC250 1.3.0 build 200304, NC260 1.5.2 build 200304, and NC450 1.5.3 build 200304. plural TP-Link A device contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. TP-Link NC200, etc. are all a network camera of TP-Link company in China. The swSystemBackup and sym.swSystemRestoreFile methods in many TP-Link products have security vulnerabilities, which are caused by the use of hard-coded encryption keys in the program. Remote attackers can use this vulnerability to obtain sensitive information from backup files. TP-Link NC series Cloud Cameras could allow a remote malicious user to obtain sensitive information, caused by the use of hardcoded encryption key in the swSystemBackup and sym.swSystemRestoreFile methods

Certain TP-Link devices allow Command Injection. This affects NC260 1.5.2 build 200304 and NC450 1.5.3 build 200304. TP-Link NC260 and NC450 On the device OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. TP-Link NC260 and TP-Link NC450 are both a webcam of China TP-Link company. TP-Link NC260 1.5.2 build 200304 version and NC450 1.5.3 build 200304 version of the ipcamera binary file httpSetEncryptKeyRpm method has an operating system command injection vulnerability. A remote attacker can use the vulnerability by sending a specially crafted HTTP POST request to the setEncryptKey.fcgi script to execute arbitrary commands on the system as the root user

Moxa Service in Moxa NPort 5150A firmware version 1.5 and earlier allows attackers to obtain sensitive configuration values via a crafted packet to UDP port 4800. NOTE: Moxa Service is an unauthenticated service that runs upon a first-time installation but can be disabled without ill effect. Moxa NPort 5150A There is an information leakage vulnerability in the firmware.Information may be obtained. Moxa NPort 5150A is a device server of China's Moxa company

Shanghai Zhenghang Electronic Technology Co., Ltd. is a high-tech enterprise dedicated to product design, development, production, sales and service in the field of industrial control. The 7-inch touch screen programming software of Shanghai Zhenghang Electronic Technology Co., Ltd. has a memory corruption vulnerability. An attacker can use this vulnerability to construct a deformed hmp file that can cause the program to crash.

Shenzhen Hexin Automation Technology Co., Ltd. (referred to as "Hexin Technology") was established in 2003. It is a high-tech enterprise, focusing on the development, production, sales and technical services of industrial automation products. It is a supplier of industrial automation solutions. Shenzhen Hexin Automation Technology Co., Ltd. MagicWorks HMI V3.91 has a memory corruption vulnerability. An attacker can use this vulnerability to construct a deformed hmidb file that can cause the program to crash.

On BIG-IP 15.0.0-15.0.1 and 14.1.0-14.1.2.3, under certain conditions, the Traffic Management Microkernel (TMM) may generate a core file and restart while processing SSL traffic with an HTTP/2 full proxy. BIG-IP There is an unspecified vulnerability in.Service operation interruption (DoS) It may be put into a state. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. A security vulnerability exists in F5 BIG-IP versions 15.0.0 through 15.0.1 and 14.1.0 through 14.1.2.3

Om BIG-IP 15.0.0-15.0.1.3 and 14.1.0-14.1.2.3, the restjavad process may expose a way for attackers to upload arbitrary files on the BIG-IP system, bypassing the authorization system. Resulting error messages may also reveal internal paths of the server. BIG-IP Exists in a vulnerability related to unlimited upload of dangerous types of files.Information is obtained and service operation is interrupted (DoS) It may be put into a state. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. A security vulnerability exists in the restjavad process in F5 BIG-IP versions 15.0.0 through 15.0.1.3 and 14.1.0 through 14.1.2.3. A remote attacker can exploit this vulnerability to flood the disk memory, rendering the BIG-IP host inoperable

On BIG-IP 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, undisclosed HTTP/2 requests can lead to a denial of service when sent to a virtual server configured with the Fallback Host setting and a server-side HTTP/2 profile. BIG-IP There is an input verification vulnerability in.Service operation interruption (DoS) It may be put into a state. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. An attacker could exploit this vulnerability with a specially crafted HTTP/2 request to cause a denial of service

On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.1, and 14.1.0-14.1.2.3, Traffic Management Microkernel (TMM) may restart on BIG-IP Virtual Edition (VE) while processing unusual IP traffic. BIG-IP There is an unspecified vulnerability in.Service operation interruption (DoS) It may be put into a state

On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, BIG-IP Virtual Edition (VE) may expose a mechanism for remote attackers to access local daemons and bypass port lockdown settings. BIG-IP Virtual Edition (VE) Exists in a vulnerability related to the leakage of resources to the wrong area.Information may be obtained and tampered with. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. There are security vulnerabilities in F5 BIG-IP versions 15.1.0 to 15.1.0.1, 15.0.0 to 15.0.1.2, and 14.1.0 to 14.1.2.3. The vulnerability is caused by the program not authenticating properly

On versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, and 12.1.0-12.1.5.1, BIG-IP systems setup for connection mirroring in a High Availability (HA) pair transfers sensitive cryptographic objects over an insecure communications channel. This is a control plane issue which is exposed only on the network used for connection mirroring. BIG-IP There is a cryptographic strength vulnerability in.Information may be obtained and tampered with. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. A security vulnerability exists in the F5 BIG-IP system due to the program's use of an insecure communication channel to transmit sensitive encrypted objects. A remote attacker can exploit this vulnerability to read and modify Diffie-Hellman (DH) parameters. The following products and versions are affected: F5 BIG-IP from version 15.0.0 to version 15.1.0.1, version 14.1.0 to version 14.1.2.3, version 13.1.0 to version 13.1.3.3, version 12.1.0 to version 12.1.5.1

On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.6.1-11.6.5 and BIG-IQ 5.2.0-7.1.0, a user associated with the Resource Administrator role who has access to the secure copy (scp) utility but does not have access to Advanced Shell (bash) can execute arbitrary commands using a maliciously crafted scp request. BIG-IP and BIG-IQ There is an unspecified vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. A security vulnerability exists in F5 BIG-IP and BIG-IQ. The following products and versions are affected: F5 BIG-IP 15.0.0 to 15.0.1, 14.1.0 to 14.1.2.3, 13.1.0 to 13.1.3.1, 12.1.0 to 12.1.5 , version 11.6.1 to version 11.6.5; BIG-IQ version 5.2.0 to version 7.1.0

On BIG-IP 15.0.0-15.0.1.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5, and 11.6.1-11.6.5.1, under certain conditions, the Intel QuickAssist Technology (QAT) cryptography driver may produce a Traffic Management Microkernel (TMM) core file. BIG-IP There is an unspecified vulnerability in.Service operation interruption (DoS) It may be put into a state

On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, and 12.1.0-12.1.5.1 and BIG-IQ 5.2.0-7.1.0, when creating a QKView, credentials for binding to LDAP servers used for remote authentication of the BIG-IP administrative interface will not fully obfuscate if they contain whitespace. BIG-IP There is an information leakage vulnerability in.Information may be obtained. Both F5 BIG-IP and F5 BIG-IQ are products of the US company F5. F5 BIG-IP is an application delivery platform that integrates functions such as network traffic management, application security management, and load balancing. F5 BIG-IQ is a software-based cloud management solution. The solution supports the deployment of application delivery and network services across public and private clouds, traditional data centers and hybrid environments. A security vulnerability exists in F5 BIG-IP and BIG-IQ. The following products and versions are affected: F5 BIG-IP version 15.0.0 to 15.0.1, 14.1.0 to 14.1.2.3, 13.1.0 to 13.1.3.3 and 12.1.0 to 12.1.5.1 ; BIG-IQ version 5.2.0 to version 7.1.0

In versions 7.1.5-7.1.8, the BIG-IP Edge Client components in BIG-IP APM, Edge Gateway, and FirePass legacy allow attackers to obtain the full session ID from process memory. BIG-IP Edge Client A buffer error vulnerability exists in the component.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. F5 BIG-IP APM, etc. are all products of F5 Company in the United States. F5 BIG-IP APM is an access and security solution. F5 BIG-IP APM Clients is a set of APM client software. F5 BIG-IP Edge Gateway is a remote access solution. Security vulnerabilities exist in F5 BIG-IP APM, BIG-IP Edge Gateway, and BIG-IP APM Clients