HomeAutomation 3.3.2 - Open Redirect

HomeAutomation 3.3.2 contains a redirect vulnerability caused by improper verification of the 'redirect' GET parameter in 'api.php', letting attackers redirect users to arbitrary websites, exploit requires user interaction with a crafted link. id: CVE-2020-21998 info: name: HomeAutomation 3.3.2 -...

EUVD-2020-14753

Malware in sbrugna...

EUVD-2020-14766

Malware in sbrugna...

EUVD-2020-14767

Malware in sbrugna...

CVE-2020-21989

HomeAutomation 3.3.2 is affected by Cross Site Request Forgery CSRF. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges i...

CVE-2020-21998

In HomeAutomation 3.3.2 input passed via the 'redirect' GET parameter in 'api.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted o...

CVE-2020-21987

HomeAutomation 3.3.2 is affected by persistent Cross Site Scripting XSS. XSS vulnerabilities occur when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's...

CVE-2020-21989

HomeAutomation 3.3.2 is affected by Cross Site Request Forgery CSRF. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges i...

CVE-2020-21989

HomeAutomation 3.3.2 is affected by Cross Site Request Forgery CSRF. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges i...

CVE-2020-22001

HomeAutomation 3.3.2 suffers from an authentication bypass vulnerability when spoofing client IP address using the X-Forwarded-For header with the local loopback IP address value allowing remote control of the smart home solution...

CVE-2020-22000

HomeAutomation 3.3.2 suffers from an authenticated OS command execution vulnerability using custom command v0.1 plugin. This can be exploited with a CSRF vulnerability to execute arbitrary shell commands as the web user via the 'setcommandon' and 'setcommandoff' POST parameters in...

CVE-2020-21998

In HomeAutomation 3.3.2 input passed via the 'redirect' GET parameter in 'api.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted o...

CVE-2020-22000

HomeAutomation 3.3.2 suffers from an authenticated OS command execution vulnerability using custom command v0.1 plugin. This can be exploited with a CSRF vulnerability to execute arbitrary shell commands as the web user via the 'setcommandon' and 'setcommandoff' POST parameters in...

CVE-2020-22001

HomeAutomation 3.3.2 suffers from an authentication bypass vulnerability when spoofing client IP address using the X-Forwarded-For header with the local loopback IP address value allowing remote control of the smart home solution...

CVE-2020-21998

In HomeAutomation 3.3.2 input passed via the 'redirect' GET parameter in 'api.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted o...

Authentication flaw

HomeAutomation 3.3.2 suffers from an authentication bypass vulnerability when spoofing client IP address using the X-Forwarded-For header with the local loopback IP address value allowing remote control of the smart home solution...

Design/Logic Flaw

In HomeAutomation 3.3.2 input passed via the 'redirect' GET parameter in 'api.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted o...

Cross site request forgery (csrf)

HomeAutomation 3.3.2 is affected by Cross Site Request Forgery CSRF. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges i...

Cross site scripting

HomeAutomation 3.3.2 is affected by persistent Cross Site Scripting XSS. XSS vulnerabilities occur when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's...

Design/Logic Flaw

HomeAutomation 3.3.2 suffers from an authenticated OS command execution vulnerability using custom command v0.1 plugin. This can be exploited with a CSRF vulnerability to execute arbitrary shell commands as the web user via the 'setcommandon' and 'setcommandoff' POST parameters in...