CVE-2017-9390

Name of the Vulnerable Software and Affected Versions Vera VeraEdge version 1.7.19 Vera Veralite version 1.7.481

Description An issue was discovered in the devices, where a shell script called connect.sh is used to return a specific cookie for the user when authenticated to https://home.getvera.com. The script retrieves a parameter called RedirectURL, but lacks strict input validation, allowing an attacker to execute client-side code on the application.

Recommendations For Vera VeraEdge version 1.7.19, consider disabling the connect.sh script until a patch is available. For Vera Veralite version 1.7.481, restrict access to the connect.sh script to minimize the risk of exploitation. Avoid using the RedirectURL parameter in the affected application until the issue is resolved.