TwcertCVELIST:CVE-2019-11063CVE-2019-11063 SmartHome application has a broken access control vulnerability in its Web API Server
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.2 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
56.3%
A broken access control vulnerability in SmartHome app (Android versions up to 3.0.42_190515, ios versions up to 2.0.22) allows an attacker in the same local area network to list user accounts and control IoT devices that connect with its gateway (HG100) via http://[target]/smarthome/devicecontrol without any authentication. CVSS 3.0 base score 10 (Confidentiality, Integrity and Availability impacts). CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
CNA Affected
[
{
"product": "SmartHome Android app",
"vendor": "ASUS",
"versions": [
{
"status": "affected",
"version": "up to 3.0.42_190515"
}
]
},
{
"product": "SmartHome ios app",
"vendor": "ASUS",
"versions": [
{
"status": "affected",
"version": "up to 2.0.22"
}
]
}
]Related
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.2 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
56.3%