Details of VAR-201911-0656

ID

VAR-201911-0656

CVE

CVE-2019-18937

TITLE

Input validation vulnerabilities in multiple products

Trust: 0.8

sources: JVNDB: JVNDB-2019-012007

DESCRIPTION

eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the Script Parser AddOn through 1.8 installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the exec.cgi script, which executes TCL script content from an HTTP POST request. eQ-3 Homematic CCU2 , CCU3 , Script Parser The add-on contains a vulnerability related to input validation.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both eQ-3 Homematic CCU3 and eQ-3 Homematic CCU2 are central control units of a smart home system produced by German eQ-3 company. There are security vulnerabilities in Script Parser AddOn 1.8 and earlier versions in eQ-3 Homematic CCU2 version 2.47.20 and CCU3 version 3.47.18. An attacker could exploit this vulnerability to execute code

Trust: 1.71

sources: NVD: CVE-2019-18937 // JVNDB: JVNDB-2019-012007 // VULHUB: VHN-151333

AFFECTED PRODUCTS

vendor:	eq 3	model:	homematic ccu3	scope:	eq	version:	3.47.18	Trust: 1.6
vendor:	scriptparser	model:	scriptparser	scope:	eq	version:	1.3	Trust: 1.6
vendor:	scriptparser	model:	scriptparser	scope:	eq	version:	1.0	Trust: 1.6
vendor:	scriptparser	model:	scriptparser	scope:	eq	version:	1.2	Trust: 1.6
vendor:	scriptparser	model:	scriptparser	scope:	eq	version:	1.8	Trust: 1.0
vendor:	scriptparser	model:	scriptparser	scope:	eq	version:	1.7	Trust: 1.0
vendor:	scriptparser	model:	scriptparser	scope:	eq	version:	1.5	Trust: 1.0
vendor:	scriptparser	model:	scriptparser	scope:	eq	version:	1.4	Trust: 1.0
vendor:	scriptparser	model:	scriptparser	scope:	eq	version:	1.6	Trust: 1.0
vendor:	eq 3	model:	homematic ccu2	scope:	eq	version:	2.47.20	Trust: 1.0
vendor:	eq 3	model:	ccu3	scope:	eq	version:	3.47.18	Trust: 0.8
vendor:	eq 3	model:	homematic zentrale ccu2	scope:	eq	version:	2.47.20	Trust: 0.8
vendor:	scriptparser	model:	scriptparser	scope:	lte	version:	1.8	Trust: 0.8
vendor:	eq 3	model:	homematic ccu3	scope:	eq	version:	-	Trust: 0.6

sources: JVNDB: JVNDB-2019-012007 // CNNVD: CNNVD-201911-985 // NVD: CVE-2019-18937

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-18937
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2019-18937
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201911-985
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-151333
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-18937
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-151333
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-18937
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2019-18937
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-151333 // JVNDB: JVNDB-2019-012007 // CNNVD: CNNVD-201911-985 // NVD: CVE-2019-18937

PROBLEMTYPE DATA

problemtype:	CWE-306	Trust: 1.0
problemtype:	CWE-20	Trust: 0.9

sources: VULHUB: VHN-151333 // JVNDB: JVNDB-2019-012007 // NVD: CVE-2019-18937

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201911-985

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201911-985

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-012007

PATCH

title:	Top Page	url:	https://www.eq-3.com/	Trust: 0.8
title:	scriptparser	url:	https://github.com/litti/scriptparser	Trust: 0.8

sources: JVNDB: JVNDB-2019-012007

EXTERNAL IDS

db:	NVD	id:	CVE-2019-18937	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-012007	Trust: 0.8
db:	CNNVD	id:	CNNVD-201911-985	Trust: 0.7
db:	VULHUB	id:	VHN-151333	Trust: 0.1

sources: VULHUB: VHN-151333 // JVNDB: JVNDB-2019-012007 // CNNVD: CNNVD-201911-985 // NVD: CVE-2019-18937

REFERENCES

url:	https://psytester.github.io/cve-2019-18937/	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-18937	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-18937	Trust: 0.8

sources: VULHUB: VHN-151333 // JVNDB: JVNDB-2019-012007 // CNNVD: CNNVD-201911-985 // NVD: CVE-2019-18937

SOURCES

db:	VULHUB	id:	VHN-151333
db:	JVNDB	id:	JVNDB-2019-012007
db:	CNNVD	id:	CNNVD-201911-985
db:	NVD	id:	CVE-2019-18937

LAST UPDATE DATE

2024-11-23T22:58:28.979000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-151333	date:	2019-11-18T00:00:00
db:	JVNDB	id:	JVNDB-2019-012007	date:	2019-11-22T00:00:00
db:	CNNVD	id:	CNNVD-201911-985	date:	2019-11-19T00:00:00
db:	NVD	id:	CVE-2019-18937	date:	2024-11-21T04:33:52.567

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-151333	date:	2019-11-14T00:00:00
db:	JVNDB	id:	JVNDB-2019-012007	date:	2019-11-22T00:00:00
db:	CNNVD	id:	CNNVD-201911-985	date:	2019-11-14T00:00:00
db:	NVD	id:	CVE-2019-18937	date:	2019-11-14T19:15:13.237