Sign-up

ID

VAR-201908-0654


CVE

CVE-2019-14984


TITLE

eQ-3 Homematic CCU2 and CCU3 Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-008027

DESCRIPTION

eQ-3 Homematic CCU2 and CCU3 with the XML-API through 1.2.0 AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because the undocumented addons/xmlapi/exec.cgi script uses CMD_EXEC to execute TCL code from a POST request. eQ-3 Homematic CCU2 and CCU3 Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both eQ-3 Homematic CCU3 and eQ-3 Homematic CCU2 are central control units of a smart home system produced by German eQ-3 company. A command injection vulnerability exists in the eQ-3 Homematic CCU2 and CCU3. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. Attackers can exploit this vulnerability to execute illegal commands

Trust: 1.71

sources: NVD: CVE-2019-14984 // JVNDB: JVNDB-2019-008027 // VULHUB: VHN-146985

AFFECTED PRODUCTS

vendor:eq 3model:homematic ccu3scope:lteversion:1.2.0

Trust: 1.0

vendor:eq 3model:homematic ccu2scope:lteversion:1.2.0

Trust: 1.0

vendor:eq 3model:ccu2scope:lteversion:1.2.0

Trust: 0.8

vendor:eq 3model:ccu3scope:lteversion:1.2.0

Trust: 0.8

sources: JVNDB: JVNDB-2019-008027 // NVD: CVE-2019-14984

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-14984
value: HIGH

Trust: 1.0

NVD: CVE-2019-14984
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201908-911
value: HIGH

Trust: 0.6

VULHUB: VHN-146985
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-14984
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-146985
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-14984
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-146985 // JVNDB: JVNDB-2019-008027 // CNNVD: CNNVD-201908-911 // NVD: CVE-2019-14984

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.1

problemtype:CWE-77

Trust: 0.9

sources: VULHUB: VHN-146985 // JVNDB: JVNDB-2019-008027 // NVD: CVE-2019-14984

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-911

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201908-911

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-008027

PATCH
title:Top Pageurl:https://www.eq-3.com/
Trust: 0.8
title:eQ-3 Homematic CCU2  and CCU3 Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=96596
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-008027 // 
            
            
            
            CNNVD: CNNVD-201908-911

EXTERNAL IDS
db:NVDid:CVE-2019-14984
Trust: 2.5
db:JVNDBid:JVNDB-2019-008027
Trust: 0.8
db:CNNVDid:CNNVD-201908-911
Trust: 0.7
db:VULHUBid:VHN-146985
Trust: 0.1
sources:
            
            
            VULHUB: VHN-146985 // 
            
            
            
            JVNDB: JVNDB-2019-008027 // 
            
            
            
            CNNVD: CNNVD-201908-911 // 
            
            
            
            NVD: CVE-2019-14984

REFERENCES
url:https://psytester.github.io/cve-2019-14984/
Trust: 2.5
url:https://nvd.nist.gov/vuln/detail/cve-2019-14984
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-14984
Trust: 0.8
sources:
            
            
            VULHUB: VHN-146985 // 
            
            
            
            JVNDB: JVNDB-2019-008027 // 
            
            
            
            CNNVD: CNNVD-201908-911 // 
            
            
            
            NVD: CVE-2019-14984

SOURCES
db:VULHUBid:VHN-146985
db:JVNDBid:JVNDB-2019-008027
db:CNNVDid:CNNVD-201908-911
db:NVDid:CVE-2019-14984

LAST UPDATE DATE
2024-11-23T22:06:06.256000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-146985date:2020-08-24T00:00:00
db:JVNDBid:JVNDB-2019-008027date:2019-08-23T00:00:00
db:CNNVDid:CNNVD-201908-911date:2020-10-28T00:00:00
db:NVDid:CVE-2019-14984date:2024-11-21T04:27:49.467

SOURCES RELEASE DATE
db:VULHUBid:VHN-146985date:2019-08-13T00:00:00
db:JVNDBid:JVNDB-2019-008027date:2019-08-23T00:00:00
db:CNNVDid:CNNVD-201908-911date:2019-08-13T00:00:00
db:NVDid:CVE-2019-14984date:2019-08-13T20:15:12.150