ByteOS Network

NVD Vulnerability Details :

CVE-2019-15849

Analyzed

Source-cve@mitre.org

Published At-17 Oct, 2019 | 14:15

Updated At-22 Oct, 2019 | 13:23

eQ-3 HomeMatic CCU3 firmware 3.41.11 allows session fixation. An attacker can create session IDs and send them to the victim. After the victim logs in to the session, the attacker can use that session. The attacker could create SSH logins after a valid session and easily compromise the system.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	7.3	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Primary	2.0	4.9	MEDIUM	AV:N/AC:M/Au:S/C:P/I:P/A:N

Type: Primary

Version: 3.1

Base score: 7.3

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Type: Primary

Version: 2.0

Base score: 4.9

Base severity: MEDIUM

Vector:

AV:N/AC:M/Au:S/C:P/I:P/A:N

CPE Matches

eq-3>>homematic_ccu3_firmware>>3.14.11

cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.14.11:*:*:*:*:*:*:*

eq-3>>homematic_ccu3>>-

cpe:2.3:h:eq-3:homematic_ccu3:-:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-384	Primary	nvd@nist.gov

CWE ID: CWE-384

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
https://noskill1337.github.io/homematic-ccu3-session-fixation	cve@mitre.org	Exploit Mitigation Third Party Advisory
https://www.eq-3.com/products/homematic.html	cve@mitre.org	Vendor Advisory

Hyperlink: https://noskill1337.github.io/homematic-ccu3-session-fixation

Source: cve@mitre.org

Resource:

Exploit

Mitigation

Third Party Advisory

Hyperlink: https://www.eq-3.com/products/homematic.html

Source: cve@mitre.org

Resource:

Vendor Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History