eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16 use session IDs for authentication but lack authorization checks. An attacker can obtain a session ID via an invalid login attempt to the RemoteApi account, aka HMCCU-154. This leads to automatic login as admin.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-07-10T11:50:44

Updated: 2024-08-04T22:10:09.905Z

Reserved: 2019-03-27T00:00:00

Link: CVE-2019-10119

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-07-10T12:15:12.093

Modified: 2024-11-21T04:18:27.130

Link: CVE-2019-10119

cve-icon Redhat

No data.