CVE-2019-18938

Name of the Vulnerable Software and Affected Versions eQ-3 Homematic CCU2 version 2.47.20 eQ-3 Homematic CCU3 version 3.47.18 E-Mail AddOn versions through 1.6.8.c

Description The issue allows remote code execution by unauthenticated attackers with access to the web interface. This is achieved via the "save.cgi" script for payload upload and the "testtcl.cgi" script for its execution.

Recommendations For eQ-3 Homematic CCU2 version 2.47.20, restrict access to the web interface to prevent unauthenticated attackers from exploiting the issue. For eQ-3 Homematic CCU3 version 3.47.18, consider disabling the save.cgi and testtcl.cgi scripts until a fix is available. For E-Mail AddOn versions through 1.6.8.c, avoid using the affected scripts in the web interface until the issue is resolved.