eQ-3 HomeMatic CCU3 firmware 3.41.11 allows session fixation. An attacker can create session IDs and send them to the victim. After the victim logs in to the session, the attacker can use that session. The attacker could create SSH logins after a valid session and easily compromise the system.
References
Link | Resource |
---|---|
https://noskill1337.github.io/homematic-ccu3-session-fixation | Exploit Mitigation Third Party Advisory |
https://www.eq-3.com/products/homematic.html | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2019-10-17T13:33:20
Updated: 2019-10-17T13:33:20
Reserved: 2019-09-02T00:00:00
Link: CVE-2019-15849
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-10-17T14:15:10.760
Modified: 2019-10-22T13:23:54.933
Link: CVE-2019-15849
JSON object: View
Redhat Information
No data.
CWE