CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-8359
https://notcve.org/view.php?id=CVE-2019-8359
An issue was discovered in Contiki-NG through 4.3 and Contiki through 3.0. An out of bounds write is present in the data section during 6LoWPAN fragment re-assembly in the face of forged fragment offsets in os/net/ipv6/sicslowpan.c. Se detectó un problema en Contiki-NG versiones hasta 4.3 y Contiki versiones hasta 3.0. Una escritura fuera de límites está presente en la sección de datos durante el reensamblaje de fragmentos 6LoWPAN frente a las compensaciones de fragmentos forjados en el archivo os/net/ipv6/sicslowpan.c. • https://github.com/contiki-ng/contiki-ng/pull/972 https://github.com/contiki-ng/contiki-ng/releases/tag/release%2Fv4.4 https://www.usenix.org/system/files/sec20summer_clements_prepub.pdf • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-7295
https://notcve.org/view.php?id=CVE-2017-7295
An issue was discovered in Contiki Operating System 3.0. A use-after-free vulnerability exists in httpd-simple.c in cc26xx-web-demo httpd, where upon a connection close event, the http_state structure was not deallocated properly, resulting in a NULL pointer dereference in the output processing function. This resulted in a board crash, which can be used to perform denial of service. Fue detectado un problema en el Contiki Operating System versión 3.0. Se presenta una vulnerabilidad de uso de la memoria previamente liberada en el archivo httpd-simple.c en httpd cc26xx-web-demo, donde en un evento de cierre de conexión, la estructura http_state no se desasigna apropiadamente, resultando en una desreferencia de puntero NULL en la función de procesamiento de salida. • https://gist.github.com/jackmcbride/c9328627f1ee104ce84f3fb7eff42f1e • CWE-416: Use After Free •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-7296
https://notcve.org/view.php?id=CVE-2017-7296
An issue was discovered in Contiki Operating System 3.0. A Persistent XSS vulnerability is present in the MQTT/IBM Cloud Config page (aka mqtt.html) of cc26xx-web-demo. The cc26xx-web-demo features a webserver that runs on a constrained device. That particular page allows a user to remotely configure that device's operation by sending HTTP POST requests. The vulnerability consists of improper input sanitisation of the text fields on the MQTT/IBM Cloud config page, allowing for JavaScript code injection. • http://www.securityfocus.com/bid/98790 https://gist.github.com/jackmcbride/c9328627f1ee104ce84f3fb7eff42f1e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •