CVE-2023-1751

Name of the Vulnerable Software and Affected Versions Nexx Smart Home devices (affected versions not specified) Nexx Garage Door Controller (NXG-100B, NXG-200) (affected versions not specified) Nexx Smart Plug (NXPG-100W) (affected versions not specified) Nexx Smart Alarm (NXAL-100) (affected versions not specified)

Description The issue is related to a WebSocket server in Nexx Smart Home devices that does not properly validate the bearer token in the Authorization header. This could allow any authorized user to receive alarm information and signals meant for other devices, potentially leaking a deviceId. The vulnerability is associated with insufficient input validation in the software of Nexx controllers.

Recommendations For Nexx Smart Home devices, consider disabling the WebSocket server until a patch is available. For Nexx Garage Door Controller, restrict access to the vulnerable software component to minimize the risk of exploitation. For Nexx Smart Plug, avoid using the Authorization header with the bearer token in the affected API endpoint until the issue is resolved. For Nexx Smart Alarm, as a temporary workaround, consider restricting the use of the vulnerable module to prevent information leakage. At the moment, there is no information about a newer version that contains a fix for this vulnerability.