CVE-2020-21998 - OpenCVE

In HomeAutomation 3.3.2 input passed via the 'redirect' GET parameter in 'api.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Homeautomation Project	Homeautomation

Configuration 1 [-]

cpe:2.3:a:homeautomation_project:homeautomation:3.3.2:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://cxsecurity.com/issue/WLB-2019120132
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5559.php

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-04-27T17:46:42

Updated: 2024-08-04T14:30:33.558Z

Reserved: 2020-08-13T00:00:00

Link: CVE-2020-21998

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-04-27T18:15:07.837

Modified: 2021-05-06T14:19:10.177

Link: CVE-2020-21998

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In HomeAutomation 3.3.2 input passed via the 'redirect' GET parameter in 'api.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-04-27T17:46:42", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5559.php"}, {"tags": ["x_refsource_MISC"], "url": "https://cxsecurity.com/issue/WLB-2019120132"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-21998", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In HomeAutomation 3.3.2 input passed via the 'redirect' GET parameter in 'api.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5559.php", "refsource": "MISC", "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5559.php"}, {"name": "https://cxsecurity.com/issue/WLB-2019120132", "refsource": "MISC", "url": "https://cxsecurity.com/issue/WLB-2019120132"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T14:30:33.558Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5559.php"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://cxsecurity.com/issue/WLB-2019120132"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-21998", "datePublished": "2021-04-27T17:46:42", "dateReserved": "2020-08-13T00:00:00", "dateUpdated": "2024-08-04T14:30:33.558Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:homeautomation_project:homeautomation:3.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "28A14AE8-CCA1-4402-A897-1011C31935A4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In HomeAutomation 3.3.2 input passed via the 'redirect' GET parameter in 'api.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain."}, {"lang": "es", "value": "En HomeAutomation versi\u00f3n 3.3.2, la entrada pasada por medio del par\u00e1metro GET \"redirect\" en el script \"api.php\" no es comprobado apropiadamente antes de ser usado para redireccionar a usuarios. Esto puede ser explotado para redireccionar a un usuario a un sitio web arbitrario, por ejemplo, cuando un usuario hace clic en un enlace especialmente dise\u00f1ado al script afectado alojado en un dominio confiable"}], "id": "CVE-2020-21998", "lastModified": "2021-05-06T14:19:10.177", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-27T18:15:07.837", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://cxsecurity.com/issue/WLB-2019120132"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5559.php"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}]}