Sign-up

ID

VAR-202407-2627


CVE

CVE-2020-11919


TITLE

Siime Eye 14.1.00000001.3.330.0.0.3.14 Cross Site Request Forgery

Trust: 0.1

sources: PACKETSTORM: 179798

DESCRIPTION

An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. There is no CSRF protection. ------------------------------------------ [Additional Information] The default settings make this attack theoretical rather than practical. A lot of interaction takes place between the application and the end user. For correct functioning, it is important to verify that requests coming from the user actually represent the user's intention. The application must therefore be able to distinguish forged requests from legitimate ones. Currently no measures against Cross-Site Request Forgery have been implemented and therefore users can be tricked into submitting requests without their knowledge or consent. From the application's point of view, these requests are legitimate requests from the user and they will be processed as such. This can result in the creation of additional (administrative) user accounts, without the user’s knowledge or consent. In order to execute a CSRF attack, a user must be tricked into visiting an attacker controlled page, using the same browser that is authenticated to the Siime Eye. As mostly the Hotspot from Siime Eye will be used, users are unlikely to (be able to) access such pages simultaneously. ------------------------------------------ [Vulnerability Type] Cross Site Request Forgery (CSRF) ------------------------------------------ [Vendor of Product] Svakom ------------------------------------------ [Affected Product Code Base] Siime Eye - 14.1.00000001.3.330.0.0.3.14 ------------------------------------------ [Affected Component] Siime Eye, web interface ------------------------------------------ [Attack Type] Context-dependent ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [CVE Impact Other] Full device compromise. ------------------------------------------ [Reference] N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit in assignment of the Consumentenbond. Use CVE-2020-11919

Trust: 0.99

sources: NVD: CVE-2020-11919 // PACKETSTORM: 179798

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0: CVE-2020-11919
value: HIGH

Trust: 1.0

134c704f-9b21-4f2e-91b3-4a467353bcc0: CVE-2020-11919
baseSeverity: HIGH
baseScore: 8.0
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.1
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: NVD: CVE-2020-11919

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.0

sources: NVD: CVE-2020-11919

TYPE

csrf

Trust: 0.1

sources: PACKETSTORM: 179798

EXTERNAL IDS

db:NVDid:CVE-2020-11919

Trust: 1.2

db:OTHERid:NONE

Trust: 0.1

db:PACKETSTORMid:179798

Trust: 0.1

sources: OTHER: None // PACKETSTORM: 179798 // NVD: CVE-2020-11919

REFERENCES

url:https://seclists.org/fulldisclosure/2024/jul/14

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2020-11919

Trust: 0.1

sources: PACKETSTORM: 179798 // NVD: CVE-2020-11919

CREDITS

Willem Westerhof | Secura

Trust: 0.1

sources: OTHER: None

SOURCES

db:OTHERid: -
db:PACKETSTORMid:179798
db:NVDid:CVE-2020-11919

LAST UPDATE DATE

2025-01-30T20:07:06.504000+00:00


SOURCES UPDATE DATE

db:NVDid:CVE-2020-11919date:2024-11-08T19:01:03.880

SOURCES RELEASE DATE

db:OTHERid: - date:2024-07-26T13:11:06
db:PACKETSTORMid:179798date:2024-07-30T12:35:43
db:NVDid:CVE-2020-11919date:2024-11-07T18:15:15.517