PT-2018-18899 · Contec · Contec Smart Home

Published

2018-03-31

Updated

2018-05-15

CVE-2018-9162

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Contec Smart Home version 4.15

Description The issue allows unauthorized access to certain PHP files, including new user.php, edit user.php, delete user.php, and user.php, without requiring authentication. This can be exploited to change the admin password, potentially leading to control over doors.

Recommendations For Contec Smart Home version 4.15, consider restricting access to the vulnerable PHP files, such as new user.php, edit user.php, delete user.php, and user.php, until a patch is available. As a temporary workaround, limit the functionality of these files to prevent unauthorized changes, such as modifying the admin password.

Exploit

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

CVE-2018-9162

Affected Products

Contec Smart Home

PT-2018-18899 · Contec · Contec Smart Home

CVE-2018-9162

Weakness Enumeration

Related Identifiers

Affected Products

References · 3