CVE-2019-15849

Published: Oct 17, 2019Modified: Nov 21, 2024

7.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Exploitability: 2.1 / Impact: 5.2

Source: NVD

Description

eQ-3 HomeMatic CCU3 firmware 3.41.11 allows session fixation. An attacker can create session IDs and send them to the victim. After the victim logs in to the session, the attacker can use that session. The attacker could create SSH logins after a valid session and easily compromise the system.

Affected (1)

Products: Eq 3: Homematic Ccu3 Firmware

1 product

Homematic Ccu3 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Eq 3 Homematic Ccu3 Firmware	Version 3.14.11

Running on/with	Platform Versions
Eq 3 Homematic Ccu3	All versions

Related CWEs

Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

References (4)

https://noskill1337.github.io/homematic-ccu3-session-fixation

Source: cve@mitre.org

ExploitMitigationThird Party Advisory

https://www.eq-3.com/products/homematic.html

Source: cve@mitre.org

Vendor Advisory

https://noskill1337.github.io/homematic-ccu3-session-fixation

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMitigationThird Party Advisory

https://www.eq-3.com/products/homematic.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.