CVE-2023-2759

Name of the Vulnerable Software and Affected Versions TapHome versions prior to 2023.2

Description The issue is related to weaknesses in the authentication procedure of the TapHome system, allowing a remote attacker to bypass authentication and gain full access to the device. A hidden API in TapHome's core platform exists, enabling an authenticated, low-privileged user to change passwords of other users without prior knowledge. Additionally, an SQL injection vulnerability is present in the HandleMessageUpdateDevicePropertiesRequest function, allowing low-privileged users to inject arbitrary SQL directives and execute arbitrary SQL commands, potentially leading to limited write access and temporary Denial-of-Service.

Recommendations For versions prior to 2023.2, update to version 2023.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the hidden API and the HandleMessageUpdateDevicePropertiesRequest function until a patch is available. Avoid using the vulnerable API endpoints and functions until the issue is resolved.