CVE-2019-18938

Published: Nov 14, 2019Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the E-Mail AddOn through 1.6.8.c installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the save.cgi script for payload upload and the testtcl.cgi script for its execution.

Affected (16)

Products: Hm Email Project: Hm Email · Eq 3: Homematic Ccu2 Firmware, Homematic Ccu3 Firmware

Hm Email Project

1 product

Hm Email

Eq 3

2 products

Homematic Ccu2 Firmware

Homematic Ccu3 Firmware

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Hm Email Project Hm Email	Version 1.6.8c

Configuration O

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Eq 3 Homematic Ccu2 Firmware	Version 2.24.20

Running on/with	Platform Versions
Eq 3 Homematic Ccu2	All versions

Configuration P

1 vulnerable

Vulnerable Software	Affected Versions
Hm Email Project Hm Email	Version 1.6.8b

Configuration Q

1 vulnerable

Vulnerable Software	Affected Versions
Hm Email Project Hm Email	Version 1.6.8a

Configuration R

1 vulnerable

Vulnerable Software	Affected Versions
Hm Email Project Hm Email	Version 1.6.8

Configuration S

1 vulnerable

Vulnerable Software	Affected Versions
Hm Email Project Hm Email	Version 1.6.7c

Configuration T

1 vulnerable

Vulnerable Software	Affected Versions
Hm Email Project Hm Email	Version 1.6.7b

Configuration U

1 vulnerable

Vulnerable Software	Affected Versions
Hm Email Project Hm Email	Version 1.6.7a

Configuration V

1 vulnerable

Vulnerable Software	Affected Versions
Hm Email Project Hm Email	Version 1.6.7

Configuration W

1 vulnerable

Vulnerable Software	Affected Versions
Hm Email Project Hm Email	Version 1.6.6

Configuration X

1 vulnerable

Vulnerable Software	Affected Versions
Hm Email Project Hm Email	Version 1.6.5

Configuration Y

1 vulnerable

Vulnerable Software	Affected Versions
Hm Email Project Hm Email	Version 1.6.4

Configuration Z

1 vulnerable

Vulnerable Software	Affected Versions
Hm Email Project Hm Email	Version 1.6.3

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Hm Email Project Hm Email	Version 1.6.2

Configuration B

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Eq 3 Homematic Ccu3 Firmware	Version 3.47.18
Hm Email Project Hm Email	Version 1.6.0

Running on/with	Platform Versions
Eq 3 Homematic Ccu3	All versions

Related CWEs

CWE-306

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References (2)

https://psytester.github.io/CVE-2019-18938/

Source: cve@mitre.org

ExploitThird Party Advisory

https://psytester.github.io/CVE-2019-18938/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.