PT-2019-13717 · Eq 3 · Eq-3 Homematic Ccu2+1
Psytester
·
Published
2019-08-06
·
Updated
2020-08-24
·
CVE-2019-14473
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
eQ-3 Homematic CCU2 and CCU3 (affected versions not specified)
Description
The issue concerns a lack of authorization checks in the authentication process of eQ-3 Homematic CCU2 and CCU3, which use session IDs for authentication. This allows a user with a valid guest level or user level account to perform administrative actions, including creating new admin level accounts, reading service messages, clearing the system protocol, or modifying and deleting internal programs.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Eq-3 Homematic Ccu2
Eq-3 Homematic Ccu3