CVE-2020-7232

Name of the Vulnerable Software and Affected Versions Evoko Home devices versions 1.31 through 1.37

Description The issue allows remote attackers to obtain sensitive information, such as usernames and password hashes, via a WebSocket request. This can be demonstrated by accessing the sockjs/224/uf1psgff/websocket URI at a wss:// URL.

Recommendations For Evoko Home devices versions 1.31 through 1.37, as a temporary workaround, consider restricting access to the WebSocket endpoint until a patch is available. Avoid using the sensitive information via the WebSocket request until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.