PT-2022-22997 · Abode Systems · Iota All-In-One Security Kit
Matt Wiseman
·
Published
2022-10-25
·
Updated
2022-10-27
·
CVE-2022-35887
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Abode Systems, Inc. iota All-In-One Security Kit versions 6.9Z and 6.9X
Description
The issue arises from format string injection via the
default key id HTTP parameter in the /action/wirelessConnect handler. A specially-crafted HTTP request can lead to memory corruption, information disclosure, and denial of service. An attacker can make an authenticated HTTP request to trigger this issue.Recommendations
For versions 6.9Z and 6.9X, consider restricting access to the
/action/wirelessConnect API endpoint until a patch is available.
As a temporary workaround, avoid using the default key id parameter in the affected API endpoint until the issue is resolved.Exploit
Fix
Use of Externally-Controlled Format String
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Iota All-In-One Security Kit