PT-2019-15725 · Eq 3 · Eq-3 Homematic Ccu3+1

Psytester

Publicado

2019-11-14

Atualizado

2021-07-21

CVE-2019-18937

CVSS v2.0

7.5

Alta

Vetor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions eQ-3 Homematic CCU2 version 2.47.20 eQ-3 Homematic CCU3 version 3.47.18

Description The issue allows remote code execution by unauthenticated attackers with access to the web interface. This is achieved via the exec.cgi script, which executes TCL script content from an HTTP POST request.

Recommendations For eQ-3 Homematic CCU2 version 2.47.20, update the system to remove or restrict access to the exec.cgi script to prevent remote code execution. For eQ-3 Homematic CCU3 version 3.47.18, update the system to remove or restrict access to the exec.cgi script to prevent remote code execution. As a temporary workaround, consider disabling the Script Parser AddOn until a patch is available.

Exploit

Correção

Missing Authentication

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-306

Identificadores relacionados

CVE-2019-18937

Produtos afetados

Eq-3 Homematic Ccu2

Eq-3 Homematic Ccu3

PT-2019-15725 · Eq 3 · Eq-3 Homematic Ccu3+1

CVE-2019-18937

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 2