CVE-2019-10119
Last modified
CVE-2019-10119 is a vulnerability of currently unknown severity. eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16 use session IDs for authentication but lack authorization checks. An attacker can obtain a session ID via an invalid login attempt to the RemoteApi account, aka HMCCU-154. EPSS estimates a 1.96% chance of exploitation in the next 30 days.
Description
eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16 use session IDs for authentication but lack authorization checks. An attacker can obtain a session ID via an invalid login attempt to the RemoteApi account, aka HMCCU-154. This leads to automatic login as admin.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Eq-3 | Ccu3 Firmware | < 3.43.16 |
| Eq-3 | Ccu2 Firmware | < 2.41.8 |
References
- https://www.eq-3.de/Downloads/Software/CCU3-Firmware/CCU3-3.43.16/CCU3-Changelog.3.43.16.pdfRelease Notes, Vendor Advisory
- https://www.eq-3.de/Downloads/Software/HM-CCU2-Firmware_Updates/HM-CCU-2.41.9/HM-CCU2-Changelog.2.41.9.pdfRelease Notes, Vendor Advisory
- https://www.eq-3.de/Downloads/Software/CCU3-Firmware/CCU3-3.43.16/CCU3-Changelog.3.43.16.pdfRelease Notes, Vendor Advisory
- https://www.eq-3.de/Downloads/Software/HM-CCU2-Firmware_Updates/HM-CCU-2.41.9/HM-CCU2-Changelog.2.41.9.pdfRelease Notes, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-10119?
How severe is CVE-2019-10119?
How do I fix CVE-2019-10119?
Are you affected by CVE-2019-10119?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST