Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2019-12821

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-19 Jul, 2019 | 17:20
Updated At-04 Aug, 2024 | 23:32
Rejected At-
Credits

A vulnerability was found in the app 2.0 of the Shenzhen Jisiwei i3 robot vacuum cleaner, while adding a device to the account using a QR-code. The QR-code follows an easily predictable pattern that depends only on the specific device ID of the robot vacuum cleaner. By generating a QR-code containing information about the device ID, it is possible to connect an arbitrary device and gain full access to it. The device ID has an initial "JSW" substring followed by a six digit number that depends on the specific device.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:19 Jul, 2019 | 17:20
Updated At:04 Aug, 2024 | 23:32
Rejected At:
▼CVE Numbering Authority (CNA)

A vulnerability was found in the app 2.0 of the Shenzhen Jisiwei i3 robot vacuum cleaner, while adding a device to the account using a QR-code. The QR-code follows an easily predictable pattern that depends only on the specific device ID of the robot vacuum cleaner. By generating a QR-code containing information about the device ID, it is possible to connect an arbitrary device and gain full access to it. The device ID has an initial "JSW" substring followed by a six digit number that depends on the specific device.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.kth.se/polopoly_fs/1.914058.1561621210%21/Olsson_Larsson-Forsberg_vacuum.pdf
x_refsource_MISC
Hyperlink: https://www.kth.se/polopoly_fs/1.914058.1561621210%21/Olsson_Larsson-Forsberg_vacuum.pdf
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.kth.se/polopoly_fs/1.914058.1561621210%21/Olsson_Larsson-Forsberg_vacuum.pdf
x_refsource_MISC
x_transferred
Hyperlink: https://www.kth.se/polopoly_fs/1.914058.1561621210%21/Olsson_Larsson-Forsberg_vacuum.pdf
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:19 Jul, 2019 | 18:15
Updated At:07 Nov, 2023 | 03:03

A vulnerability was found in the app 2.0 of the Shenzhen Jisiwei i3 robot vacuum cleaner, while adding a device to the account using a QR-code. The QR-code follows an easily predictable pattern that depends only on the specific device ID of the robot vacuum cleaner. By generating a QR-code containing information about the device ID, it is possible to connect an arbitrary device and gain full access to it. The device ID has an initial "JSW" substring followed by a six digit number that depends on the specific device.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.04.8MEDIUM
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Primary2.05.8MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:P
Type: Primary
Version: 3.0
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Type: Primary
Version: 2.0
Base score: 5.8
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:P
CPE Matches
jisiwei
jisiwei
>>i3_firmware>>2.0
cpe:2.3:o:jisiwei:i3_firmware:2.0:*:*:*:*:*:*:*
jisiwei
jisiwei
>>i3>>-
cpe:2.3:h:jisiwei:i3:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-330Primarynvd@nist.gov
CWE ID: CWE-330
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.kth.se/polopoly_fs/1.914058.1561621210%21/Olsson_Larsson-Forsberg_vacuum.pdfcve@mitre.org
N/A
Hyperlink: https://www.kth.se/polopoly_fs/1.914058.1561621210%21/Olsson_Larsson-Forsberg_vacuum.pdf
Source: cve@mitre.org
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

3Records found
CVE-2020-13817
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.4||HIGH
EPSS-0.38% / 58.29%
||
7 Day CHG~0.00%
Published-04 Jun, 2020 | 12:31
Updated-05 May, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can query time from the victim's ntpd instance.

Action-Not Available
Vendor-ntpn/aopenSUSENetApp, Inc.Fujitsu Limited
Product-h410shci_compute_node_firmwarecloud_backupontap_toolsleaph500s_firmwarem12-2m10-1_firmwarem12-2_firmwareh410c_firmwarem12-1_firmwareh410ch700sh500sh700e_firmwareh500e_firmwarem12-2s_firmwareclustered_data_ontaph300ehci_management_nodeh300e_firmwarem10-1m10-4s_firmwaredata_ontaph700ehci_compute_nodeh500em12-1h700s_firmwaresolidfirem12-2sm10-4sh410s_firmwareh300s_firmwaresteelstore_cloud_integrated_storagentpelement_softwarem10-4m10-4_firmwareh300sn/a
CWE ID-CWE-330
Use of Insufficiently Random Values
CVE-2015-3963
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-5.8||MEDIUM
EPSS-4.71% / 88.94%
||
7 Day CHG~0.00%
Published-04 Aug, 2015 | 01:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Wind River VxWorks before 5.5.1, 6.5.x through 6.7.x before 6.7.1.1, 6.8.x before 6.8.3, 6.9.x before 6.9.4.4, and 7.x before 7 ipnet_coreip 1.2.2.0, as used on Schneider Electric SAGE RTU devices before J2 and other devices, does not properly generate TCP initial sequence number (ISN) values, which makes it easier for remote attackers to spoof TCP sessions by predicting an ISN value.

Action-Not Available
Vendor-windrivern/aSchneider Electric SE
Product-sage_1330vxworkssage_1310sage_1410sage_2200sage_1230sage_1350sage_1210sage_1250sage_1450sage_2400sage_3030sage_1430sage_3030_magnumn/a
CWE ID-CWE-330
Use of Insufficiently Random Values
CVE-2017-17704
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.4||HIGH
EPSS-0.15% / 36.81%
||
7 Day CHG~0.00%
Published-31 Dec, 2017 | 02:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A door-unlocking issue was discovered on Software House iStar Ultra devices through 6.5.2.20569 when used in conjunction with the IP-ACM Ethernet Door Module. The communications between the IP-ACM and the iStar Ultra is encrypted using a fixed AES key and IV. Each message is encrypted in CBC mode and restarts with the fixed IV, leading to replay attacks of entire messages. There is no authentication of messages beyond the use of the fixed AES key, so message forgery is also possible.

Action-Not Available
Vendor-swhousen/a
Product-istar_ultraistar_ultra_firmwaren/a
CWE ID-CWE-330
Use of Insufficiently Random Values
Details not found