VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-202006-1085 CVE-2020-3218 Cisco IOS XE  Input validation vulnerability in software CVSS V2: 9.0
CVSS V3: 7.2
Severity: HIGH
A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker with administrative privileges to execute arbitrary code with root privileges on the underlying Linux shell. The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by first creating a malicious file on the affected device itself and then uploading a second malicious file to the device. A successful exploit could allow the attacker to execute arbitrary code with root privileges or bypass licensing requirements on the device. Cisco IOS XE The software contains an input validation vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Cisco IOS XE is an operating system developed by Cisco for its network equipment
VAR-202006-1086 CVE-2020-3219 Cisco IOS XE  Input validation vulnerability in software CVSS V2: 9.0
CVSS V3: 8.8
Severity: HIGH
A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to inject and execute arbitrary commands with administrative privileges on the underlying operating system of an affected device. The vulnerability is due to insufficient validation of user-supplied input to the web UI. An attacker could exploit this vulnerability by submitting crafted input to the web UI. A successful exploit could allow an attacker to execute arbitrary commands with administrative privileges on an affected device. Cisco IOS XE The software contains an input validation vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Cisco IOS XE is an operating system developed by Cisco for its network equipment
VAR-202006-1074 CVE-2020-3206 Cisco IOS XE Input verification vulnerabilities in software CVSS V2: 3.3
CVSS V3: 4.7
Severity: MEDIUM
A vulnerability in the handling of IEEE 802.11w Protected Management Frames (PMFs) of Cisco Catalyst 9800 Series Wireless Controllers that are running Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to terminate a valid user connection to an affected device. The vulnerability exists because the affected software does not properly validate 802.11w disassociation and deauthentication PMFs that it receives. An attacker could exploit this vulnerability by sending a spoofed 802.11w PMF from a valid, authenticated client on a network adjacent to an affected device. A successful exploit could allow the attacker to terminate a single valid user connection to the affected device. Cisco IOS XE The software contains an input verification vulnerability.Service operation interruption (DoS) It may be put into a state. Cisco IOS XE is an operating system developed by Cisco for its network equipment
VAR-202006-1150 CVE-2020-3204 Cisco IOS and IOS XE Input verification vulnerabilities in software CVSS V2: 7.2
CVSS V3: 6.7
Severity: MEDIUM
A vulnerability in the Tool Command Language (Tcl) interpreter of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, local attacker with privileged EXEC credentials to execute arbitrary code on the underlying operating system (OS) with root privileges. The vulnerability is due to insufficient input validation of data passed to the Tcl interpreter. An attacker could exploit this vulnerability by loading malicious Tcl code on an affected device. A successful exploit could allow the attacker to cause memory corruption or execute the code with root privileges on the underlying OS of the affected device. Cisco IOS and IOS XE The software contains an input verification vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Both Cisco IOS and IOS XE are a set of operating systems developed by Cisco for its network equipment
VAR-202006-1092 CVE-2020-3225 Cisco IOS and IOS XE Input verification vulnerabilities in software CVSS V2: 7.8
CVSS V3: 8.6
Severity: HIGH
Multiple vulnerabilities in the implementation of the Common Industrial Protocol (CIP) feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerabilities are due to insufficient input processing of CIP traffic. An attacker could exploit these vulnerabilities by sending crafted CIP traffic to be processed by an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. Cisco IOS and IOS XE The software contains an input verification vulnerability.Service operation interruption (DoS) It may be put into a state
VAR-202006-1084 CVE-2020-3217 plural Cisco Product input verification vulnerabilities CVSS V2: 8.3
CVSS V3: 8.8
Severity: HIGH
A vulnerability in the Topology Discovery Service of Cisco One Platform Kit (onePK) in Cisco IOS Software, Cisco IOS XE Software, Cisco IOS XR Software, and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a denial of service (DoS) condition on an affected device. The vulnerability is due to insufficient length restrictions when the onePK Topology Discovery Service parses Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol message to an affected device. An exploit could allow the attacker to cause a stack overflow, which could allow the attacker to execute arbitrary code with administrative privileges, or to cause a process crash, which could result in a reload of the device and cause a DoS condition. plural Cisco The product contains an input verification vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Cisco NX-OS Software, etc. are all products of Cisco (Cisco). Cisco NX-OS Software is a set of data center-level operating system software used by switches. Cisco IOS is an operating system developed for its network equipment. IOS XE is an operating system developed for its network equipment
VAR-202006-1097 CVE-2020-3230 Cisco IOS and IOS XE Input verification vulnerabilities in software CVSS V2: 5.0
CVSS V3: 7.5
Severity: HIGH
A vulnerability in the Internet Key Exchange Version 2 (IKEv2) implementation in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to prevent IKEv2 from establishing new security associations. The vulnerability is due to incorrect handling of crafted IKEv2 SA-Init packets. An attacker could exploit this vulnerability by sending crafted IKEv2 SA-Init packets to the affected device. An exploit could allow the attacker to cause the affected device to reach the maximum incoming negotiation limits and prevent further IKEv2 security associations from being formed. Cisco IOS and IOS XE The software contains an input verification vulnerability.Service operation interruption (DoS) It may be put into a state. Attackers can exploit this vulnerability to prevent IKEv2 from establishing new security associations (SAs)
VAR-202006-1093 CVE-2020-3226 Cisco IOS and IOS XE Input verification vulnerabilities in software CVSS V2: 7.8
CVSS V3: 8.6
Severity: HIGH
A vulnerability in the Session Initiation Protocol (SIP) library of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to insufficient sanity checks on received SIP messages. An attacker could exploit this vulnerability by sending crafted SIP messages to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service condition. Cisco IOS and IOS XE The software contains an input verification vulnerability.Service operation interruption (DoS) It may be put into a state. The following products and versions are affected: Cisco Unified Border Element (CUBE); Cisco Unified Communications Manager Express (CME); Cisco IOS Gateways with Session Initiation Protocol (SIP); Cisco TDM Gateways; Cisco Unified Survivable Remote Site Telephony (SRST); Business Edition 4000 (BE4K)
VAR-202006-1105 CVE-2020-3238 Cisco IOx Application Framework Input Validation Error Vulnerability CVSS V2: 5.5
CVSS V3: 8.1
Severity: HIGH
A vulnerability in the Cisco Application Framework component of the Cisco IOx application environment could allow an authenticated, remote attacker to write or modify arbitrary files in the virtual instance that is running on the affected device. The vulnerability is due to insufficient input validation of user-supplied application packages. An attacker who can upload a malicious package within Cisco IOx could exploit the vulnerability to modify arbitrary files. The impacts of a successful exploit are limited to the scope of the virtual instance and do not affect the device that is hosting Cisco IOx. Cisco IOx The application contains an input verification vulnerability.Information is tampered with and service operation is interrupted (DoS) It may be put into a state. Cisco Iox is a secure development environment of the US Cisco (Cisco) that combines Cisco IOS and Linux OS for secure network connection and development of IOT applications
VAR-202006-1095 CVE-2020-3228 plural Cisco Product input verification vulnerabilities CVSS V2: 7.8
CVSS V3: 8.6
Severity: HIGH
A vulnerability in Security Group Tag Exchange Protocol (SXP) in Cisco IOS Software, Cisco IOS XE Software, and Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability exists because crafted SXP packets are mishandled. An attacker could exploit this vulnerability by sending specifically crafted SXP packets to the affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. Cisco NX-OS Software, etc. are all products of Cisco (Cisco). Cisco NX-OS Software is a set of data center-level operating system software used by switches. IOS XE is an operating system developed for its network equipment
VAR-202006-1852 CVE-2020-13787 D-Link DIR-865L Ax Beta Information leakage vulnerabilities in devices CVSS V2: 5.0
CVSS V3: 7.5
Severity: HIGH
D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Transmission of Sensitive Information. D-Link DIR-865L is a wireless router from D-Link, Taiwan. The vulnerability results from the program transmitting sensitive information in clear text. A remote attacker can use the vulnerability to obtain sensitive information by sniffing network traffic
VAR-202006-1815 CVE-2020-3199 Cisco IOS Input verification vulnerabilities in software CVSS V2: 8.3
CVSS V3: 8.8
Severity: HIGH
Multiple vulnerabilities in the Cisco IOx application environment of Cisco 809 and 829 Industrial Integrated Services Routers (Industrial ISRs) and Cisco 1000 Series Connected Grid Routers (CGR1000) that are running Cisco IOS Software could allow an attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco IOS The software contains an input verification vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state
VAR-202006-1814 CVE-2020-3208 Cisco IOS Software permission management vulnerabilities CVSS V2: 7.2
CVSS V3: 6.7
Severity: MEDIUM
A vulnerability in the image verification feature of Cisco IOS Software for Cisco 809 and 829 Industrial Integrated Services Routers (Industrial ISRs) could allow an authenticated, local attacker to boot a malicious software image on an affected device. The vulnerability is due to insufficient access restrictions on the area of code that manages the image verification feature. An attacker could exploit this vulnerability by first authenticating to the targeted device and then logging in to the Virtual Device Server (VDS) of an affected device. The attacker could then, from the VDS shell, disable Cisco IOS Software integrity (image) verification. A successful exploit could allow the attacker to boot a malicious Cisco IOS Software image on the targeted device. To exploit this vulnerability, the attacker must have valid user credentials at privilege level 15. Cisco IOS The software contains a vulnerability in privilege management.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state
VAR-202006-1102 CVE-2020-3235 Cisco IOS and IOS XE Input verification vulnerabilities in software CVSS V2: 6.3
CVSS V3: 7.7
Severity: HIGH
A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software on Catalyst 4500 Series Switches could allow an authenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to insufficient input validation when the software processes specific SNMP object identifiers. An attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. Note: To exploit this vulnerability by using SNMPv2c or earlier, the attacker must know the SNMP read-only community string for an affected system. To exploit this vulnerability by using SNMPv3, the attacker must know the user credentials for the affected system
VAR-202006-1135 CVE-2020-3322 Microsoft Windows for Cisco Webex Network Recording Player and Cisco Webex Player Input verification vulnerability in CVSS V2: 4.3
CVSS V3: 3.3
Severity: LOW
A vulnerability in Cisco Webex Network Recording Player and Cisco Webex Player for Microsoft Windows could allow an attacker to cause a process crash resulting in a Denial of service (DoS) condition for the player application on an affected system. The vulnerability exists due to insufficient validation of certain elements with a Webex recording stored in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF). An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file through a link or email attachment and persuading the user to open the file with the affected software on the local system. A successful exploit could allow the attacker to cause the Webex player application to crash when trying to view the malicious file
VAR-202006-1134 CVE-2020-3321 Windows for Cisco Webex Network Recording Player and Cisco Webex Player Input verification vulnerability in CVSS V2: 4.3
CVSS V3: 3.3
Severity: LOW
A vulnerability in Cisco Webex Network Recording Player and Cisco Webex Player for Microsoft Windows could allow an attacker to cause a process crash resulting in a Denial of service (DoS) condition for the player application on an affected system. The vulnerability exists due to insufficient validation of certain elements with a Webex recording stored in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF). An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file through a link or email attachment and persuading the user to open the file with the affected software on the local system. A successful exploit could allow the attacker to cause the Webex player application to crash when trying to view the malicious file
VAR-202006-1121 CVE-2020-3281 Cisco Digital Network Architecture Center Vulnerability regarding information leakage from log files in CVSS V2: 4.0
CVSS V3: 8.8
Severity: HIGH
A vulnerability in the audit logging component of Cisco Digital Network Architecture (DNA) Center could allow an authenticated, remote attacker to view sensitive information in clear text. The vulnerability is due to the storage of certain unencrypted credentials. An attacker could exploit this vulnerability by accessing the audit logs and obtaining credentials that they may not normally have access to. A successful exploit could allow the attacker to use those credentials to discover and manage network devices. (DoS) It may be put into a state
VAR-202006-1133 CVE-2020-3319 Microsoft Windows for Cisco Webex Network Recording Player and Webex Player Input verification vulnerability in CVSS V2: 4.3
CVSS V3: 3.3
Severity: LOW
A vulnerability in Cisco Webex Network Recording Player and Cisco Webex Player for Microsoft Windows could allow an attacker to cause a process crash resulting in a Denial of service (DoS) condition for the player application on an affected system. The vulnerability exists due to insufficient validation of certain elements with a Webex recording stored in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF). An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file through a link or email attachment and persuading the user to open the file with the affected software on the local system. A successful exploit could allow the attacker to cause the Webex player application to crash when trying to view the malicious file. This vulnerability affects Cisco Webex Network Recording Player and Webex Player releases earlier than Release 3.0 MR3 Security Patch 2 and 4.0 MR3
VAR-202006-1083 CVE-2020-3216 Cisco IOS XE SD-WAN Authentication vulnerabilities in software CVSS V2: 7.2
CVSS V3: 6.8
Severity: MEDIUM
A vulnerability in Cisco IOS XE SD-WAN Software could allow an unauthenticated, physical attacker to bypass authentication and gain unrestricted access to the root shell of an affected device. The vulnerability exists because the affected software has insufficient authentication mechanisms for certain commands. An attacker could exploit this vulnerability by stopping the boot initialization of an affected device. A successful exploit could allow the attacker to bypass authentication and gain unrestricted access to the root shell of the affected device. Cisco IOS XE SD-WAN The software contains an authentication vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Both Cisco IOS and IOS XE are products of Cisco (Cisco). CLI is one of those command line interfaces. SD-WAN Software is one of the software-defined WAN software
VAR-202006-1060 CVE-2020-1883 plural Huawei Vulnerability in lack of release of resources after valid lifetime in product CVSS V2: 4.0
CVSS V3: 4.9
Severity: MEDIUM
Huawei products NIP6800;Secospace USG6600;USG9500 have a memory leak vulnerability. An attacker with high privileges exploits this vulnerability by continuously performing specific operations. Successful exploitation of this vulnerability can cause service abnormal. NIP6800 , Secospace USG6600 , USG9500 Is vulnerable to a lack of resource release after a valid lifetime.Service operation interruption (DoS) It may be put into a state