CVE-2019-14984

Name of the Vulnerable Software and Affected Versions eQ-3 Homematic CCU2 and CCU3 versions prior to 1.2.0 AddOn

Description The issue allows remote code execution by unauthenticated attackers with access to the web interface. This is because the undocumented script addons/xmlapi/exec.cgi uses CMD EXEC to execute TCL code from a POST request to the "XML-API".

Recommendations For versions prior to 1.2.0 AddOn, as a temporary workaround, consider disabling the exec.cgi script in the addons/xmlapi directory until a patch is available. Restrict access to the XML-API to minimize the risk of exploitation. Avoid using the XML-API until the issue is resolved.