CVE-2019-9584

Published: Aug 14, 2019Modified: Nov 21, 2024

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN service configuration. This is related to improper access control for all /addons/mh/ pages.

Affected (2)

Products: Eq 3: Homematic Ccu2 Firmware, Homematic Ccu3 Firmware

2 products

Homematic Ccu2 Firmware

Homematic Ccu3 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Eq 3 Homematic Ccu2 Firmware	Up to 2.47.15

Running on/with	Platform Versions
Eq 3 Homematic Ccu2	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Eq 3 Homematic Ccu3 Firmware	Up to 3.47.15

Running on/with	Platform Versions
Eq 3 Homematic Ccu3	All versions

Related CWEs

Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

References (4)

https://github.com/psytester/psytester.github.io/blob/master/_posts/hacking_and_pentests/CVEs/2019-03-27-CVE-2019-9584.md

Source: cve@mitre.org

ExploitThird Party Advisory

https://psytester.github.io/CVE-2019-9584/

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/psytester/psytester.github.io/blob/master/_posts/hacking_and_pentests/CVEs/2019-03-27-CVE-2019-9584.md

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://psytester.github.io/CVE-2019-9584/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.