Mini 8 Firmware

mini-8_firmware

Vendor: Rainmachine • 3 CVEs

CVEs (3)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-6908 1Rainmachine 2Mini 8 Firmware Touch Hd 12 Firmware Nov 21, 2024 Nov 1, 2018 N/A· v4 9.8 CRITICAL· v3 5.0 MEDIUM· v2 An authentication bypass vulnerability exists in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application allowing an unauthenticated attacker to perform authenticated actions on the devi...Show more An authentication bypass vulnerability exists in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application allowing an unauthenticated attacker to perform authenticated actions on the device via a 127.0.0.1:port value in the HTTP 'Host' header, as demonstrated by retrieving credentials.Show less
CVE-2018-6012 1Rainmachine 1Mini 8 Firmware Nov 21, 2024 Nov 1, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The 'Weather Service' feature of the Green Electronics RainMachine Mini-8 (2nd generation) allows an attacker to inject arbitrary Python code via the 'Add new weather data source' upload function.
CVE-2018-6011 1Rainmachine 1Mini 8 Firmware Nov 21, 2024 Nov 1, 2018 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 The time-based one-time-password (TOTP) function in the application logic of the Green Electronics RainMachine Mini-8 (2nd generation) uses the administrator's password hash to generate a 6-digit temporary passcode that...Show more The time-based one-time-password (TOTP) function in the application logic of the Green Electronics RainMachine Mini-8 (2nd generation) uses the administrator's password hash to generate a 6-digit temporary passcode that can be used for remote and local access, aka a "Use of Password Hash Instead of Password for Authentication" issue. This is exploitable by an attacker who discovers a hash value in the rainmachine-settings.sqlite file.Show less