Lucene search

TalosCVELIST:CVE-2022-35887

HistoryOct 25, 2022 - 4:34 p.m.

CVE-2022-35887

2022-10-2516:34:24

CWE-134

talos

www.cve.org

format string injection

abode systems

memory corruption

information disclosure

denial of service

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

28.4%

JSON

Four format string injection vulnerabilities exist in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted HTTP request can lead to memory corruption, information disclosure and denial of service. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.This vulnerability arises from format string injection via the default_key_id HTTP parameter, as used within the /action/wirelessConnect handler.

CNA Affected

[
  {
    "vendor": "abode systems, inc.",
    "product": "iota All-In-One Security Kit",
    "versions": [
      {
        "version": "6.9X",
        "status": "affected"
      },
      {
        "version": "6.9Z",
        "status": "affected"
      }
    ]
  }
]

References

talosintelligence.com/vulnerability_reports/TALOS-2022-1585

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

28.4%

JSON

Related for CVELIST:CVE-2022-35887