Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-29206

Summary
Assigner-hackerone
Assigner Org ID-36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At-07 May, 2024 | 16:40
Updated At-02 Aug, 2024 | 01:10
Rejected At-
Credits

An Improper Access Control could allow a malicious actor authenticated in the API to enable Android Debug Bridge (ADB) and make unsupported changes to the system. Affected Products: UniFi Connect EV Station (Version 1.1.18 and earlier) UniFi Connect EV Station Pro (Version 1.1.18 and earlier) UniFi Access G2 Reader Pro (Version 1.2.172 and earlier) UniFi Access Reader Pro (Version 2.7.238 and earlier) UniFi Access Intercom (Version 1.0.66 and earlier) UniFi Access Intercom Viewer (Version 1.0.5 and earlier) UniFi Connect Display (Version 1.9.324 and earlier) UniFi Connect Display Cast (Version 1.6.225 and earlier) Mitigation: Update UniFi Connect Application to Version 3.10.7 or later. Update UniFi Connect EV Station to Version 1.2.15 or later. Update UniFi Connect EV Station Pro to Version 1.2.15 or later. Update UniFi Access G2 Reader Pro Version 1.3.37 or later. Update UniFi Access Reader Pro Version 2.8.19 or later. Update UniFi Access Intercom Version 1.1.32 or later. Update UniFi Access Intercom Viewer Version 1.1.6 or later. Update UniFi Connect Display to Version 1.11.348 or later. Update UniFi Connect Display Cast to Version 1.8.255 or later.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:hackerone
Assigner Org ID:36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At:07 May, 2024 | 16:40
Updated At:02 Aug, 2024 | 01:10
Rejected At:
▼CVE Numbering Authority (CNA)

An Improper Access Control could allow a malicious actor authenticated in the API to enable Android Debug Bridge (ADB) and make unsupported changes to the system. Affected Products: UniFi Connect EV Station (Version 1.1.18 and earlier) UniFi Connect EV Station Pro (Version 1.1.18 and earlier) UniFi Access G2 Reader Pro (Version 1.2.172 and earlier) UniFi Access Reader Pro (Version 2.7.238 and earlier) UniFi Access Intercom (Version 1.0.66 and earlier) UniFi Access Intercom Viewer (Version 1.0.5 and earlier) UniFi Connect Display (Version 1.9.324 and earlier) UniFi Connect Display Cast (Version 1.6.225 and earlier) Mitigation: Update UniFi Connect Application to Version 3.10.7 or later. Update UniFi Connect EV Station to Version 1.2.15 or later. Update UniFi Connect EV Station Pro to Version 1.2.15 or later. Update UniFi Access G2 Reader Pro Version 1.3.37 or later. Update UniFi Access Reader Pro Version 2.8.19 or later. Update UniFi Access Intercom Version 1.1.32 or later. Update UniFi Access Intercom Viewer Version 1.1.6 or later. Update UniFi Connect Display to Version 1.11.348 or later. Update UniFi Connect Display Cast to Version 1.8.255 or later.

Affected Products
Vendor
Ubiquiti Inc.Ubiquiti Inc
Product
UniFi Connect EV Station
Default Status
unaffected
Versions
Affected
  • From 1.2.15 before 1.2.15 (semver)
Vendor
Ubiquiti Inc.Ubiquiti Inc
Product
UniFi Connect EV Station Pro
Default Status
unaffected
Versions
Affected
  • From 1.2.15 before 1.2.15 (semver)
Vendor
Ubiquiti Inc.Ubiquiti Inc
Product
UniFi Access G2 Reader Pro
Default Status
unaffected
Versions
Affected
  • From 1.3.37 before 1.3.37 (semver)
Vendor
Ubiquiti Inc.Ubiquiti Inc
Product
UniFi Access Reader Pro
Default Status
unaffected
Versions
Affected
  • From 2.8.19 before 2.8.19 (semver)
Vendor
Ubiquiti Inc.Ubiquiti Inc
Product
UniFi Access Intercom
Default Status
unaffected
Versions
Affected
  • From 1.1.32 before 1.1.32 (semver)
Vendor
Ubiquiti Inc.Ubiquiti Inc
Product
UniFi Access Intercom Viewer
Default Status
unaffected
Versions
Affected
  • From 1.1.6 before 1.1.6 (semver)
Vendor
Ubiquiti Inc.Ubiquiti Inc
Product
UniFi Connect Display
Default Status
unaffected
Versions
Affected
  • From 1.11.348 before 1.11.348 (semver)
Vendor
Ubiquiti Inc.Ubiquiti Inc
Product
UniFi Connect Display Cast
Default Status
unaffected
Versions
Affected
  • From 1.8.255 before 1.8.255 (semver)
Metrics
VersionBase scoreBase severityVector
3.02.2LOW
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N
Version: 3.0
Base score: 2.2
Base severity: LOW
Vector:
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://community.ui.com/releases/Security-Advisory-bulletin-039-039/44e24007-2c2c-4ac0-bebf-3f19b9b24f09
N/A
Hyperlink: https://community.ui.com/releases/Security-Advisory-bulletin-039-039/44e24007-2c2c-4ac0-bebf-3f19b9b24f09
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
Ubiquiti Inc.ubiquiti
Product
unifi_connect_ev_station
CPEs
  • cpe:2.3:a:ubiquiti:unifi_connect_ev_station:1.2.15:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 1.2.15
Vendor
Ubiquiti Inc.ubiquiti
Product
unifi_access_g2_reader_pro
CPEs
  • cpe:2.3:a:ubiquiti:unifi_access_g2_reader_pro:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 1.3.37
Vendor
Ubiquiti Inc.ubiquiti
Product
unifi_connect_display
CPEs
  • cpe:2.3:a:ubiquiti:unifi_connect_display:1.11.348:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 1.11.348
Vendor
Ubiquiti Inc.ubiquiti
Product
unifi_connect_display_cast
CPEs
  • cpe:2.3:a:ubiquiti:unifi_connect_display_cast:1.8.255:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 1.8.255
Vendor
Ubiquiti Inc.ubiquiti
Product
unifi_access_reader_pro
CPEs
  • cpe:2.3:a:ubiquiti:unifi_access_reader_pro:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 2.8.19
Vendor
Ubiquiti Inc.ubiquiti
Product
unifi_access_intercom
CPEs
  • cpe:2.3:a:ubiquiti:unifi_access_intercom:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 1.1.32
Vendor
Ubiquiti Inc.ubiquiti
Product
unifi_access_intercom_viewer
CPEs
  • cpe:2.3:a:ubiquiti:unifi_access_intercom_viewer:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 1.1.6
Vendor
Ubiquiti Inc.ubiquiti
Product
unifi_connect_ev_station_pro
CPEs
  • cpe:2.3:a:ubiquiti:unifi_connect_ev_station_pro:1.2.15.0:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 1.2.15
Problem Types
TypeCWE IDDescription
CWECWE-284CWE-284 Improper Access Control
Type: CWE
CWE ID: CWE-284
Description: CWE-284 Improper Access Control
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://community.ui.com/releases/Security-Advisory-bulletin-039-039/44e24007-2c2c-4ac0-bebf-3f19b9b24f09
x_transferred
Hyperlink: https://community.ui.com/releases/Security-Advisory-bulletin-039-039/44e24007-2c2c-4ac0-bebf-3f19b9b24f09
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:support@hackerone.com
Published At:07 May, 2024 | 17:15
Updated At:03 Jul, 2024 | 01:52

An Improper Access Control could allow a malicious actor authenticated in the API to enable Android Debug Bridge (ADB) and make unsupported changes to the system. Affected Products: UniFi Connect EV Station (Version 1.1.18 and earlier) UniFi Connect EV Station Pro (Version 1.1.18 and earlier) UniFi Access G2 Reader Pro (Version 1.2.172 and earlier) UniFi Access Reader Pro (Version 2.7.238 and earlier) UniFi Access Intercom (Version 1.0.66 and earlier) UniFi Access Intercom Viewer (Version 1.0.5 and earlier) UniFi Connect Display (Version 1.9.324 and earlier) UniFi Connect Display Cast (Version 1.6.225 and earlier) Mitigation: Update UniFi Connect Application to Version 3.10.7 or later. Update UniFi Connect EV Station to Version 1.2.15 or later. Update UniFi Connect EV Station Pro to Version 1.2.15 or later. Update UniFi Access G2 Reader Pro Version 1.3.37 or later. Update UniFi Access Reader Pro Version 2.8.19 or later. Update UniFi Access Intercom Version 1.1.32 or later. Update UniFi Access Intercom Viewer Version 1.1.6 or later. Update UniFi Connect Display to Version 1.11.348 or later. Update UniFi Connect Display Cast to Version 1.8.255 or later.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.02.2LOW
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.0
Base score: 2.2
Base severity: LOW
Vector:
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-284Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-284
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://community.ui.com/releases/Security-Advisory-bulletin-039-039/44e24007-2c2c-4ac0-bebf-3f19b9b24f09support@hackerone.com
N/A
Hyperlink: https://community.ui.com/releases/Security-Advisory-bulletin-039-039/44e24007-2c2c-4ac0-bebf-3f19b9b24f09
Source: support@hackerone.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

5Records found
CVE-2024-29208
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-2.2||LOW
EPSS-0.08% / 24.52%
||
7 Day CHG~0.00%
Published-07 May, 2024 | 16:40
Updated-02 Aug, 2024 | 01:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Unverified Password Change could allow a malicious actor with API access to the device to change the system password without knowing the previous password. Affected Products: UniFi Connect EV Station (Version 1.1.18 and earlier) UniFi Connect EV Station Pro (Version 1.1.18 and earlier) UniFi Connect Display (Version 1.9.324 and earlier) UniFi Connect Display Cast (Version 1.6.225 and earlier) Mitigation: Update UniFi Connect Application to Version 3.10.7 or later. Update UniFi Connect EV Station to Version 1.2.15 or later. Update UniFi Connect EV Station Pro to Version 1.2.15 or later. Update UniFi Connect Display to Version 1.11.348 or later. Update UniFi Connect Display Cast to Version 1.8.255 or later.

Action-Not Available
Vendor-Ubiquiti Inc.
Product-Update UniFi Connect EV Station ProUpdate UniFi Connect EV StationUpdate UniFi Connect DisplayUpdate UniFi Connect Display Cast unifi_connect_display_castunifi_connect_ev_stationunifi_connect_ev_station_prounifi_connect_display
CWE ID-CWE-521
Weak Password Requirements
CVE-2023-41721
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-10||CRITICAL
EPSS-0.24% / 46.88%
||
7 Day CHG~0.00%
Published-25 Oct, 2023 | 00:24
Updated-13 Sep, 2024 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Instances of UniFi Network Application that (i) are run on a UniFi Gateway Console, and (ii) are versions 7.5.176. and earlier, implement device adoption with improper access control logic, creating a risk of access to device configuration information by a malicious actor with preexisting access to the network. Affected Products: UDM UDM-PRO UDM-SE UDR UDW Mitigation: Update UniFi Network to Version 7.5.187 or later.

Action-Not Available
Vendor-Ubiquiti Inc.
Product-unifi_dream_machine_special_editionunifi_dream_wallunifi_network_applicationunifi_dream_machineunifi_dream_routerunifi_dream_machine_proUniFi Network Applicationunifi_network_application
CWE ID-CWE-284
Improper Access Control
CVE-2024-29207
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.06% / 17.12%
||
7 Day CHG~0.00%
Published-07 May, 2024 | 16:40
Updated-02 Aug, 2024 | 01:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Improper Certificate Validation could allow a malicious actor with access to an adjacent network to take control of the system. Affected Products: UniFi Connect Application (Version 3.7.9 and earlier) UniFi Connect EV Station (Version 1.1.18 and earlier) UniFi Connect EV Station Pro (Version 1.1.18 and earlier) UniFi Connect Display (Version 1.9.324 and earlier) UniFi Connect Display Cast (Version 1.6.225 and earlier) Mitigation: Update UniFi Connect Application to Version 3.10.7 or later. Update UniFi Connect EV Station to Version 1.2.15 or later. Update UniFi Connect EV Station Pro to Version 1.2.15 or later. Update UniFi Connect Display to Version 1.11.348 or later. Update UniFi Connect Display Cast to Version 1.8.255 or later.

Action-Not Available
Vendor-Ubiquiti Inc.
Product-UniFi Connect Display CastUniFi Connect DisplayUniFi Connect ApplicationUniFi Connect EV StationUniFi Connect EV Station Pro unifi_connect_ev_station_prounifi_connect_displayunifi_connect_ev_stationunifi_connect_display_castunifi_connect_application
CWE ID-CWE-284
Improper Access Control
CVE-2025-27215
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-0.03% / 7.22%
||
7 Day CHG~0.00%
Published-21 Aug, 2025 | 00:01
Updated-22 Aug, 2025 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Improper Access Control could allow a malicious actor authenticated in the API of certain UniFi Connect Display Cast devices to make unsupported changes to the system. Affected Products: UniFi Connect Display Cast (Version 1.10.3 and earlier) UniFi Connect Display Cast Pro (Version 1.0.89 and earlier) UniFi Connect Display Cast Lite (Version 1.0.3 and earlier) Mitigation: Update UniFi Connect Display Cast to Version 1.10.7 or later Update UniFi Connect Display Cast Pro to Version 1.0.94 or later Update UniFi Connect Display Cast Lite to Version 1.1.8 or later

Action-Not Available
Vendor-Ubiquiti Inc.
Product-UniFi Connect Display Cast ProUniFi Connect Display Cast LiteUniFi Connect Display Cast
CWE ID-CWE-284
Improper Access Control
CVE-2025-23164
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-4.4||MEDIUM
EPSS-0.04% / 11.75%
||
7 Day CHG~0.00%
Published-19 May, 2025 | 01:25
Updated-19 May, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A misconfigured access token mechanism in the Unifi Protect Application (Version 5.3.41 and earlier) could permit the recipient of a "Share Livestream" link to maintain access to the corresponding livestream subsequent to such link becoming disabled.

Action-Not Available
Vendor-Ubiquiti Inc.
Product-UniFi Protect Application
CWE ID-CWE-284
Improper Access Control
Details not found