← Back to CVEs

CVE-2019-15849

HIGH

7.3

Description

eQ-3 HomeMatic CCU3 firmware 3.41.11 allows session fixation. An attacker can create session IDs and send them to the victim. After the victim logs in to the session, the attacker can use that session. The attacker could create SSH logins after a valid session and easily compromise the system.

CVE Details

CVSS v3.1 Score7.3

SeverityHIGH

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredLOW

User InteractionREQUIRED

Published10/17/2019

Last Modified11/21/2024

Sourcenvd

Honeypot Sightings0

Affected Products

eq-3:homematic_ccu3eq-3:homematic_ccu3_firmware

Weaknesses (CWE)

CWE-384

References

https://noskill1337.github.io/homematic-ccu3-session-fixation(cve@mitre.org)

https://www.eq-3.com/products/homematic.html(cve@mitre.org)

https://noskill1337.github.io/homematic-ccu3-session-fixation(af854a3a-2127-422b-91ae-364da2661108)

https://www.eq-3.com/products/homematic.html(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.