Max CVSS | 10.0 | Min CVSS | 3.3 | Total Count | 2 |
ID | CVSS | Summary | Last (major) update | Published | |
CVE-2017-8408 | 10.0 |
An issue was discovered on D-Link DCS-1130 devices. The device provides a user with the capability of setting a SMB folder for the video clippings recorded by the device. It seems that the GET parameters passed in this request (to test if SMB credent
|
26-04-2023 - 19:27 | 02-07-2019 - 16:15 | |
CVE-2018-10694 | 4.3 |
An issue was discovered on Moxa AWK-3121 1.14 devices. The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an
|
28-02-2023 - 19:30 | 07-06-2019 - 20:29 | |
CVE-2018-10690 | 4.3 |
An issue was discovered on Moxa AWK-3121 1.14 devices. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. This allows an attacker to sniff the traffic easily and allow
|
28-02-2023 - 19:30 | 07-06-2019 - 20:29 | |
CVE-2018-10697 | 9.3 |
An issue was discovered on Moxa AWK-3121 1.14 devices. The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to e
|
28-02-2023 - 19:29 | 07-06-2019 - 20:29 | |
CVE-2018-10698 | 10.0 |
An issue was discovered on Moxa AWK-3121 1.14 devices. The device enables an unencrypted TELNET service by default. This allows an attacker who has been able to gain an MITM position to easily sniff the traffic between the device and the user. Also a
|
28-02-2023 - 19:29 | 07-06-2019 - 20:29 | |
CVE-2018-10702 | 6.8 |
An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device.
|
28-02-2023 - 19:29 | 07-06-2019 - 20:29 | |
CVE-2017-8411 | 9.3 |
An issue was discovered on D-Link DCS-1130 devices. The device provides a user with the capability of setting a SMB folder for the video clippings recorded by the device. It seems that the POST parameters passed in this request (to test if email cred
|
26-04-2021 - 17:06 | 02-07-2019 - 19:15 | |
CVE-2017-8404 | 10.0 |
An issue was discovered on D-Link DCS-1130 devices. The device provides a user with the capability of setting a SMB folder for the video clippings recorded by the device. It seems that the POST parameters passed in this request (to test if email cred
|
26-04-2021 - 17:05 | 02-07-2019 - 19:15 | |
CVE-2017-8412 | 5.8 |
An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device has a custom binary called mp4ts under the /var/www/video folder. It seems that this binary dumps the HTTP VERB in the system logs. As a part of doing that it retrieves the H
|
26-04-2021 - 17:00 | 02-07-2019 - 21:15 | |
CVE-2017-8410 | 10.0 |
An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The binary rtspd in /sbin folder of the device handles all the rtsp connections received by the device. It seems that the binary performs a memcpy operation at address 0x00011E34 with t
|
26-04-2021 - 16:56 | 02-07-2019 - 20:15 | |
CVE-2017-8406 | 6.8 |
An issue was discovered on D-Link DCS-1130 devices. The device provides a crossdomain.xml file with no restrictions on who can access the webserver. This allows an hosted flash file on any domain to make calls to the device's webserver and pull any i
|
26-04-2021 - 16:43 | 02-07-2019 - 20:15 | |
CVE-2017-8417 | 3.3 |
An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device requires that a user logging into the device provide a username and password. However, the device allows D-Link apps on the mobile devices and desktop to communicate with the
|
26-04-2021 - 16:23 | 02-07-2019 - 21:15 | |
CVE-2017-8415 | 10.0 |
An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device has a custom telnet daemon as a part of the busybox and retrieves the password from the shadow file using the function getspnam at address 0x00053894. Then performs a crypt o
|
26-04-2021 - 16:09 | 02-07-2019 - 21:15 | |
CVE-2017-8409 | 5.0 |
An issue was discovered on D-Link DCS-1130 devices. The device requires that a user logging to the device to provide a username and password. However, the device does not enforce the same restriction on a specific URL thereby allowing any attacker in
|
23-04-2021 - 18:51 | 02-07-2019 - 20:15 | |
CVE-2017-8405 | 5.0 |
An issue was discovered on D-Link DCS-1130 and DCS-1100 devices. The binary rtspd in /sbin folder of the device handles all the rtsp connections received by the device. It seems that the binary loads at address 0x00012CF4 a flag called "Authenticate"
|
23-04-2021 - 18:50 | 02-07-2019 - 20:15 | |
CVE-2017-8407 | 6.8 |
An issue was discovered on D-Link DCS-1130 devices. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does not implement any cross-site request forgery pr
|
23-04-2021 - 18:50 | 02-07-2019 - 19:15 | |
CVE-2017-8414 | 7.2 |
An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The binary orthrus in /sbin folder of the device handles all the UPnP connections received by the device. It seems that the binary performs a sprintf operation at address 0x0000A3E4 wit
|
23-04-2021 - 18:47 | 02-07-2019 - 20:15 | |
CVE-2017-8416 | 8.3 |
An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device runs a custom daemon on UDP port 5978 which is called "dldps2121" and listens for broadcast packets sent on 255.255.255.255. This daemon handles custom D-Link UDP based proto
|
23-04-2021 - 16:49 | 02-07-2019 - 21:15 | |
CVE-2017-8413 | 8.3 |
An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device runs a custom daemon on UDP port 5978 which is called "dldps2121" and listens for broadcast packets sent on 255.255.255.255. This daemon handles custom D-Link UDP based proto
|
23-04-2021 - 16:47 | 02-07-2019 - 21:15 | |
CVE-2018-10699 | 6.8 |
An issue was discovered on Moxa AWK-3121 1.14 devices. The Moxa AWK 3121 provides certfile upload functionality so that an administrator can upload a certificate file used for connecting to the wireless network. However, the same functionality allows
|
24-08-2020 - 17:37 | 07-06-2019 - 20:29 | |
CVE-2017-13719 | 7.5 |
The Amcrest IPM-721S Amcrest_IPC-AWXX_Eng_N_V2.420.AC00.17.R.20170322 allows HTTP requests that permit enabling various functionalities of the camera by using HTTP APIs, instead of the web management interface that is provided by the application. Thi
|
17-07-2019 - 15:09 | 03-07-2019 - 20:15 | |
CVE-2017-11580 | 6.1 |
Blipcare Wifi blood pressure monitor BP700 10.1 devices allow memory corruption that results in Denial of Service. When connected to the "Blip" open wireless connection provided by the device, if a large string is sent as a part of the HTTP request i
|
15-07-2019 - 13:30 | 02-07-2019 - 21:15 | |
CVE-2017-11579 | 4.8 |
In the most recent firmware for Blipcare, the device provides an open Wireless network called "Blip" for communicating with the device. The user connects to this open Wireless network and uses the web management interface of the device to provide the
|
15-07-2019 - 13:29 | 02-07-2019 - 21:15 | |
CVE-2017-11578 | 4.3 |
It was discovered as a part of the research on IoT devices in the most recent firmware for Blipcare device that the device allows to connect to web management interface on a non-SSL connection using plain text HTTP protocol. The user uses the web man
|
15-07-2019 - 13:10 | 02-07-2019 - 21:15 | |
CVE-2017-8229 | 5.0 |
Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices allow an unauthenticated attacker to download the administrative credentials. If the firmware version V2.420.AC00.16.R 9/9/2016 is dissected using binwalk tool, one obtains a _user-x.squashfs.img.ext
|
11-07-2019 - 02:29 | 03-07-2019 - 20:15 | |
CVE-2017-8228 | 6.8 |
Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices mishandle reboots within the past two hours. Amcrest cloud services does not perform a thorough verification when allowing the user to add a new camera to the user's account to ensure that the user a
|
11-07-2019 - 02:28 | 03-07-2019 - 20:15 | |
CVE-2017-8227 | 5.0 |
Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have a timeout policy to wait for 5 minutes in case 30 incorrect password attempts are detected using the Web and HTTP API interface provided by the device. However, if the same brute force attempt i
|
11-07-2019 - 01:58 | 03-07-2019 - 20:15 | |
CVE-2017-8226 | 7.5 |
Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have default credentials that are hardcoded in the firmware and can be extracted by anyone who reverses the firmware to identify them. If the firmware version V2.420.AC00.16.R 9/9/2016 is dissected u
|
11-07-2019 - 01:49 | 03-07-2019 - 20:15 | |
CVE-2017-8337 | 6.8 |
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of executing various actions on the web management interface. It seems that the device does not impleme
|
21-06-2019 - 15:17 | 18-06-2019 - 21:15 | |
CVE-2017-8330 | 3.3 |
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a UPnP functionality for devices to interface with the router and interact with the device. It seems that the "NewInMessage" SOAP
|
21-06-2019 - 15:07 | 18-06-2019 - 21:15 | |
CVE-2017-8332 | 6.5 |
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of blocking key words passing in the web traffic to prevent kids from watching content that might be de
|
21-06-2019 - 14:55 | 18-06-2019 - 21:15 | |
CVE-2017-8331 | 6.5 |
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of adding new port forwarding rules to the device. It seems that the POST parameters passed in this req
|
21-06-2019 - 14:50 | 18-06-2019 - 20:15 | |
CVE-2017-8333 | 9.0 |
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of adding new routes to the device. It seems that the POST parameters passed in this request to set up
|
21-06-2019 - 14:46 | 18-06-2019 - 20:15 | |
CVE-2017-9386 | 4.0 |
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a script file called "get_file.sh" which allows a user to retrieve any file stored in the "cmh-ext" folder on the device. However, the "filename" parame
|
21-06-2019 - 13:43 | 17-06-2019 - 20:15 | |
CVE-2017-8328 | 9.3 |
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does
|
21-06-2019 - 13:37 | 18-06-2019 - 21:15 | |
CVE-2017-8336 | 6.5 |
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of adding new routes to the device. It seems that the POST parameters passed in this request to set up
|
21-06-2019 - 13:16 | 18-06-2019 - 19:15 | |
CVE-2017-8334 | 6.0 |
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of blocking IP addresses using the web management interface. It seems that the device does not implemen
|
21-06-2019 - 01:46 | 18-06-2019 - 21:15 | |
CVE-2017-8335 | 6.0 |
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of setting name for wireless network. These values are stored by the device in NVRAM (Non-volatile RAM)
|
20-06-2019 - 20:55 | 18-06-2019 - 19:15 | |
CVE-2017-8329 | 4.6 |
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of setting a name for the wireless network. These values are stored by the device in NVRAM (Non-volatil
|
20-06-2019 - 20:43 | 18-06-2019 - 20:15 | |
CVE-2017-10721 | 4.0 |
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it
|
20-06-2019 - 19:32 | 17-06-2019 - 22:15 | |
CVE-2017-10723 | 6.5 |
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This
|
20-06-2019 - 19:10 | 17-06-2019 - 22:15 | |
CVE-2017-10722 | 4.6 |
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it
|
20-06-2019 - 19:03 | 17-06-2019 - 22:15 | |
CVE-2017-10720 | 4.6 |
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it
|
20-06-2019 - 18:53 | 17-06-2019 - 22:15 | |
CVE-2017-10724 | 6.5 |
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This
|
20-06-2019 - 18:50 | 17-06-2019 - 22:15 | |
CVE-2017-10719 | 4.0 |
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has default Wi-Fi credentials that are exactly the same for every device. This device acts as an Endoscope camera tha
|
20-06-2019 - 18:12 | 17-06-2019 - 22:15 | |
CVE-2017-10718 | 4.0 |
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that any malicious user connecting to the device can change the default SSID and password thereby denying the owner an access to his/
|
20-06-2019 - 18:08 | 17-06-2019 - 22:15 | |
CVE-2017-9390 | 4.3 |
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a shell script called connect.sh which is supposed to return a specific cookie for the user when the user is authenticated to https://home.getvera.com.
|
20-06-2019 - 17:09 | 17-06-2019 - 20:15 | |
CVE-2017-9382 | 4.0 |
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url "/port_3480". It seems that the UPnP services provide "
|
20-06-2019 - 16:44 | 17-06-2019 - 20:15 | |
CVE-2017-9385 | 5.0 |
An issue was discovered on Vera Veralite 1.7.481 devices. The device has an additional OpenWRT interface in addition to the standard web interface which allows the highest privileges a user can obtain on the device. This web interface uses root as th
|
20-06-2019 - 16:44 | 17-06-2019 - 20:15 | |
CVE-2017-9384 | 9.0 |
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device firmware file contains a file known as relay.sh
|
20-06-2019 - 16:41 | 17-06-2019 - 18:15 | |
CVE-2017-9383 | 6.5 |
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url "/port_3480". It seems that the UPnP services provide "
|
20-06-2019 - 16:36 | 17-06-2019 - 20:15 | |
CVE-2017-9381 | 6.8 |
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a user with the capability of installing or deleting apps on the device using the web management interface. It seems that the device does not implement
|
20-06-2019 - 15:45 | 17-06-2019 - 18:15 | |
CVE-2017-9388 | 9.0 |
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device firmware file contains a file known as proxy.sh
|
20-06-2019 - 14:51 | 17-06-2019 - 17:15 | |
CVE-2017-9387 | 3.5 |
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a shell script called relay.sh which is used for creating new SSH relays for the device so that the device connects to Vera servers. All the parameters
|
20-06-2019 - 14:27 | 17-06-2019 - 20:15 | |
CVE-2017-9389 | 9.0 |
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device allows a user to install applications written in
|
20-06-2019 - 14:19 | 17-06-2019 - 20:15 | |
CVE-2017-9391 | 9.0 |
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url "/port_3480". It seems that the UPnP services provide "
|
20-06-2019 - 13:42 | 17-06-2019 - 21:15 | |
CVE-2017-9392 | 9.0 |
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url "/port_3480". It seems that the UPnP services provide "
|
20-06-2019 - 13:29 | 17-06-2019 - 21:15 | |
CVE-2017-13717 | 4.3 |
Starry Station (aka Starry Router) sets the Access-Control-Allow-Origin header to "*". This allows any hosted file on any domain to make calls to the device's webserver and brute force the credentials and pull any information that is stored on the de
|
11-06-2019 - 17:55 | 10-06-2019 - 22:29 | |
CVE-2017-13718 | 6.0 |
The HTTP API supported by Starry Station (aka Starry Router) allows brute forcing the PIN setup by the user on the device, and this allows an attacker to change the Wi-Fi settings and PIN, as well as port forward and expose any internal device's port
|
11-06-2019 - 16:34 | 10-06-2019 - 22:29 | |
CVE-2018-10695 | 6.8 |
An issue was discovered on Moxa AWK-3121 1.14 devices. It provides alert functionality so that an administrator can send emails to his/her account when there are changes to the device's network. However, the same functionality allows an attacker to e
|
11-06-2019 - 14:49 | 07-06-2019 - 20:29 | |
CVE-2018-10696 | 6.8 |
An issue was discovered on Moxa AWK-3121 1.14 devices. The device provides a web interface to allow an administrator to manage the device. However, this interface is not protected against CSRF attacks, which allows an attacker to trick an administrat
|
11-06-2019 - 14:39 | 07-06-2019 - 20:29 | |
CVE-2018-10701 | 6.8 |
An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device.
|
11-06-2019 - 13:43 | 07-06-2019 - 20:29 | |
CVE-2018-10703 | 6.8 |
An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device.
|
10-06-2019 - 23:29 | 07-06-2019 - 20:29 | |
CVE-2018-10691 | 5.0 |
An issue was discovered on Moxa AWK-3121 1.14 devices. It is intended that an administrator can download /systemlog.log (the system log). However, the same functionality allows an attacker to download the file without any authentication or authorizat
|
10-06-2019 - 23:29 | 07-06-2019 - 20:29 | |
CVE-2018-10693 | 6.8 |
An issue was discovered on Moxa AWK-3121 1.14 devices. It provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to execute commands
|
10-06-2019 - 23:29 | 07-06-2019 - 20:29 | |
CVE-2018-10700 | 4.3 |
An issue was discovered on Moxa AWK-3121 1.19 devices. It provides functionality so that an administrator can change the name of the device. However, the same functionality allows an attacker to execute XSS by injecting an XSS payload. The POST param
|
10-06-2019 - 23:29 | 07-06-2019 - 20:29 | |
CVE-2018-10692 | 4.3 |
An issue was discovered on Moxa AWK-3121 1.14 devices. The session cookie "Password508" does not have an HttpOnly flag. This allows an attacker who is able to execute a cross-site scripting attack to steal the cookie very easily.
|
10-06-2019 - 23:29 | 07-06-2019 - 20:29 |