CVE-2019-11063
8.3 High
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:C/I:C/A:C
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.5 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
56.4%
A broken access control vulnerability in SmartHome app (Android versions up to 3.0.42_190515, ios versions up to 2.0.22) allows an attacker in the same local area network to list user accounts and control IoT devices that connect with its gateway (HG100) via http://[target]/smarthome/devicecontrol without any authentication. CVSS 3.0 base score 10 (Confidentiality, Integrity and Availability impacts). CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| asus:smarthome | asus smarthome | lt | 2.0.22 |
| asus:smarthome | asus smarthome | lt | 3.0.42_190515 |
CNA Affected
[
{
"product": "SmartHome Android app",
"vendor": "ASUS",
"versions": [
{
"status": "affected",
"version": "up to 3.0.42_190515"
}
]
},
{
"product": "SmartHome ios app",
"vendor": "ASUS",
"versions": [
{
"status": "affected",
"version": "up to 2.0.22"
}
]
}
]Related
8.3 High
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:C/I:C/A:C
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.5 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
56.4%