PT-2019-15727 · Eq 3 · Eq-3 Homematic Hm-Print Addon+2
Psytester
·
Published
2019-11-14
·
Updated
2021-07-21
·
CVE-2019-18939
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
eQ-3 Homematic CCU2 version 2.47.20
eQ-3 Homematic CCU3 version 3.47.18
eQ-3 Homematic HM-Print AddOn versions through 1.2a
Description
The issue allows remote code execution by unauthenticated attackers with access to the web interface. This is achieved via the
exec.cgi and exec1.cgi scripts, which execute TCL script content from an HTTP POST request.Recommendations
For eQ-3 Homematic CCU2 version 2.47.20, update to a version that fixes the remote code execution issue.
For eQ-3 Homematic CCU3 version 3.47.18, update to a version that fixes the remote code execution issue.
For eQ-3 Homematic HM-Print AddOn versions through 1.2a, update to a version that fixes the remote code execution issue.
As a temporary workaround, consider restricting access to the
exec.cgi and exec1.cgi scripts to minimize the risk of exploitation.Exploit
Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Eq-3 Homematic Ccu2
Eq-3 Homematic Ccu3
Eq-3 Homematic Hm-Print Addon