Sign-up

ID

VAR-202407-2660


CVE

CVE-2020-11926


TITLE

Luvion Grand Elite 3 Connect Credential Disclosure

Trust: 0.1

sources: PACKETSTORM: 179805

DESCRIPTION

An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25. Clients can authenticate themselves to the device using a username and password. These credentials can be obtained through an unauthenticated web request, e.g., for a JavaScript file. Also, the disclosed information includes the SSID and WPA2 key for the Wi-Fi network the device is connected to. ------------------------------------------ [Additional Information] The disclosed information can be functionally used by an attacker to remotely gain access to normal camera functionality. (e.g. watch in someone's room over the internet) ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Luvion ------------------------------------------ [Affected Product Code Base] Luvion Grand elite 3 connect - Cannot be determined ------------------------------------------ [Affected Component] Webserver running on the device. ------------------------------------------ [Attack Type] Remote ------------------------------------------ [CVE Impact Other] Authentication bypass ------------------------------------------ [Attack Vectors] An attacker can simply browse to the device and retrieve the passwords. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Jim Blankendaal, Martijn Baalman from Qbit in assignment of the Consumentenbond ------------------------------------------ [Reference] N/A Use CVE-2020-11926

Trust: 0.99

sources: NVD: CVE-2020-11926 // PACKETSTORM: 179805

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0: CVE-2020-11926
value: HIGH

Trust: 1.0

134c704f-9b21-4f2e-91b3-4a467353bcc0: CVE-2020-11926
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

sources: NVD: CVE-2020-11926

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.0

sources: NVD: CVE-2020-11926

TYPE

info disclosure

Trust: 0.1

sources: PACKETSTORM: 179805

EXTERNAL IDS

db:NVDid:CVE-2020-11926

Trust: 1.2

db:OTHERid:NONE

Trust: 0.1

db:PACKETSTORMid:179805

Trust: 0.1

sources: OTHER: None // PACKETSTORM: 179805 // NVD: CVE-2020-11926

REFERENCES

url:https://seclists.org/fulldisclosure/2024/jul/14

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2020-11926

Trust: 0.1

sources: PACKETSTORM: 179805 // NVD: CVE-2020-11926

CREDITS

Willem Westerhof | Secura

Trust: 0.1

sources: OTHER: None

SOURCES

db:OTHERid: -
db:PACKETSTORMid:179805
db:NVDid:CVE-2020-11926

LAST UPDATE DATE

2025-01-30T19:41:46.376000+00:00


SOURCES UPDATE DATE

db:NVDid:CVE-2020-11926date:2024-11-08T19:01:03.880

SOURCES RELEASE DATE

db:OTHERid: - date:2024-07-26T13:11:06
db:PACKETSTORMid:179805date:2024-07-30T12:35:43
db:NVDid:CVE-2020-11926date:2024-11-07T18:15:15.667