A command injection vulnerability exists in apply.cgi on the ASUS RP-AC52 access point, firmware version 1.0.1.1s and possibly earlier, web interface specifically in the action_script parameter. The action_script parameter specifies a script to be...
In ASUS RP-AC52 access points with firmware version 1.0.1.1s and possibly earlier, the web interface, the web interface does not sufficiently verify whether a valid request was intentionally provided by the user. An attacker...
Synology NAS servers DS107, firmware version 3.1-1639 and prior, and DS116, DS213, firmware versions prior to 5.2-5644-1, use non-random default credentials of: guest:(blank) and admin:(blank) . A remote network attacker can gain privileged access...
Nuuo NT-4040 Titan, firmware NT-4040_01.07.0000.0015_1120, uses non-random default credentials of: admin:admin and localdisplay:111111. A remote network attacker can gain privileged access to a vulnerable device. Date published : 2018-07-13 http://www.securityfocus.com/bid/93807 https://www.kb.cert.org/vuls/id/326395
Green Packet DX-350 uses non-random default credentials of: root:wimax. A remote network attacker can gain privileged access to a vulnerable device. Date published : 2018-07-13 https://www.securityfocus.com/bid/93806 https://www.kb.cert.org/vuls/id/970379
Intellian Satellite TV antennas t-Series and v-Series, firmware version 1.07, uses non-random default credentials of: ftp/ftp or intellian:12345678. A remote network attacker can gain elevated access to a vulnerable device. Date published : 2018-07-13...
The Zizai Tech Nut device allows unauthenticated Bluetooth pairing, which enables unauthenticated connected applications to write data to the device name attribute. Date published : 2018-07-13 https://www.securityfocus.com/bid/93877 https://www.kb.cert.org/vuls/id/402847
The Zizai Tech Nut mobile app makes requests via HTTP instead of HTTPS. These requests contain the user’s authenticated session token with the URL. An attacker can capture these requests and reuse the session...
The Zizai Tech Nut mobile app stores the account password used to authenticate to the cloud API in cleartext in the cache.db file. Date published : 2018-07-13 https://www.securityfocus.com/bid/93877 https://www.kb.cert.org/vuls/id/402847
The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext. Date published :...
Session cookies are not used for maintaining valid sessions in iTrack Easy. The user’s password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request. In this...
getgps data in iTrack Easy can be modified without authentication by setting the data using the parametercmd:setothergps. This vulnerability can be exploited to alter the GPS data of a lost device. Date published :...
A captured MAC/device ID of an iTrack Easy can be registered under multiple user accounts allowing access to getgps GPS data, which can allow unauthenticated parties to track the device. Date published : 2018-07-13...
The iTrack device tracking ID number, also called "LosserID" in the web API, can be obtained by being in the range of an iTrack device. The tracker ID is the device’s BLE MAC address....