CVE-2024-7205 - Vulnerability Details - OpenCVE

Description

When the device is shared, the homepage module are before 2.19.0 in eWeLink Cloud Service allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information.

Published: 2024-07-31

Score: 9.4 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

CoolKit

eWeLink Cloud Service

unaffected

Version	Status	Constraints
`2.0.0`	affected	< 2.19.0

No data.

No data.

No data available yet.

Remediation

Vendor Solution

The cloud has fixed the issue in the new version, and users do not need to do anything.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-48173	When the device is shared, the homepage module are before 2.19.0 in eWeLink Cloud Service allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00201.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://ewelink.cc/security-advisory-240730/

History

No history.

Subscriptions

Coolkit Ewelink

MITRE

Status: PUBLISHED

Assigner: CoolKit

Published: 2024-07-31T05:51:03.427Z

Updated: 2024-07-31T14:56:35.429Z

Reserved: 2024-07-29T11:11:17.421Z

Link: CVE-2024-7205

Vulnrichment

Updated: 2024-07-31T14:56:24.977Z

NVD

Status : Awaiting Analysis

Published: 2024-07-31T06:15:05.327

Modified: 2024-07-31T15:15:10.993

Link: CVE-2024-7205

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-201

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7205", "assignerOrgId": "68870bb1-d075-4169-957d-e580b18692b9", "state": "PUBLISHED", "assignerShortName": "CoolKit", "dateReserved": "2024-07-29T11:11:17.421Z", "datePublished": "2024-07-31T05:51:03.427Z", "dateUpdated": "2024-07-31T14:56:35.429Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["homepage"], "platforms": ["Linux"], "product": "eWeLink Cloud Service", "vendor": "CoolKit", "versions": [{"lessThan": "2.19.0", "status": "affected", "version": "2.0.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd."}, {"lang": "en", "type": "reporter", "value": "Jerin Sunny, Security Researcher, FEV India Pvt Ltd."}, {"lang": "en", "type": "reporter", "value": "Shakir Zari,Security Researcher,FEV India Pvt Ltd."}], "datePublic": "2024-07-30T11:20:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": " When the device is shared, the homepage module are before 2.19.0  <span style=\"background-color: rgb(255, 255, 255);\">in eWeLink Cloud Service </span>allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information."}], "value": "When the device is shared,\u00a0the homepage module are before 2.19.0 \u00a0in eWeLink Cloud Service\u00a0allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information."}], "impacts": [{"capecId": "CAPEC-383", "descriptions": [{"lang": "en", "value": "CAPEC-383 Harvesting Information via API Event Monitoring"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NO", "Recovery": "USER", "Safety": "PRESENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.4, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "GREEN", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:N/R:U/V:D/RE:L/U:Green", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "description": "CWE-201 Insertion of Sensitive Information Into Sent Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "68870bb1-d075-4169-957d-e580b18692b9", "shortName": "CoolKit", "dateUpdated": "2024-07-31T05:51:03.427Z"}, "references": [{"url": "https://ewelink.cc/security-advisory-240730/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The cloud has fixed the issue in the new version, and users do not need to do anything.<br>"}], "value": "The cloud has fixed the issue in the new version, and users do not need to do anything."}], "source": {"discovery": "EXTERNAL"}, "tags": ["exclusively-hosted-service"], "title": "sharing unnecessary device-sensitive information allows Secondary user able to take over devices as primary user", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "coolkit", "product": "ewelink", "cpes": ["cpe:2.3:a:coolkit:ewelink:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.19.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-31T14:43:03.470070Z", "id": "CVE-2024-7205", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-31T14:56:35.429Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7205", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-31T14:43:03.470070Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:coolkit:ewelink:*:*:*:*:*:*:*:*"], "vendor": "coolkit", "product": "ewelink", "versions": [{"status": "affected", "version": "0", "lessThan": "2.19.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-31T14:56:24.977Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "sharing unnecessary device-sensitive information allows Secondary user able to take over devices as primary user", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd."}, {"lang": "en", "type": "reporter", "value": "Jerin Sunny, Security Researcher, FEV India Pvt Ltd."}, {"lang": "en", "type": "reporter", "value": "Shakir Zari,Security Researcher,FEV India Pvt Ltd."}], "impacts": [{"capecId": "CAPEC-383", "descriptions": [{"lang": "en", "value": "CAPEC-383 Harvesting Information via API Event Monitoring"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "PRESENT", "version": "4.0", "Recovery": "USER", "baseScore": 9.4, "Automatable": "NO", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:N/R:U/V:D/RE:L/U:Green", "providerUrgency": "GREEN", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "CoolKit", "modules": ["homepage"], "product": "eWeLink Cloud Service", "versions": [{"status": "affected", "version": "2.0.0", "lessThan": "2.19.0", "versionType": "custom"}], "platforms": ["Linux"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The cloud has fixed the issue in the new version, and users do not need to do anything.", "supportingMedia": [{"type": "text/html", "value": "The cloud has fixed the issue in the new version, and users do not need to do anything.<br>", "base64": false}]}], "datePublic": "2024-07-30T11:20:00.000Z", "references": [{"url": "https://ewelink.cc/security-advisory-240730/"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "When the device is shared,\u00a0the homepage module are before 2.19.0 \u00a0in eWeLink Cloud Service\u00a0allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information.", "supportingMedia": [{"type": "text/html", "value": " When the device is shared, the homepage module are before 2.19.0  <span style=\"background-color: rgb(255, 255, 255);\">in eWeLink Cloud Service </span>allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-201", "description": "CWE-201 Insertion of Sensitive Information Into Sent Data"}]}], "providerMetadata": {"orgId": "68870bb1-d075-4169-957d-e580b18692b9", "shortName": "CoolKit", "dateUpdated": "2024-07-31T05:51:03.427Z"}}}, "cveMetadata": {"cveId": "CVE-2024-7205", "state": "PUBLISHED", "dateUpdated": "2024-07-31T14:56:35.429Z", "dateReserved": "2024-07-29T11:11:17.421Z", "assignerOrgId": "68870bb1-d075-4169-957d-e580b18692b9", "datePublished": "2024-07-31T05:51:03.427Z", "assignerShortName": "CoolKit"}, "dataVersion": "5.1"}

{"cveTags": [{"sourceIdentifier": "68870bb1-d075-4169-957d-e580b18692b9", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "When the device is shared,\u00a0the homepage module are before 2.19.0 \u00a0in eWeLink Cloud Service\u00a0allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information."}, {"lang": "es", "value": "Cuando se comparte el dispositivo, el m\u00f3dulo de la p\u00e1gina de inicio es anterior a 2.19.0 en eWeLink Cloud Service y permite al usuario secundario asumir el control de los dispositivos como usuario principal compartiendo informaci\u00f3n confidencial innecesaria del dispositivo."}], "id": "CVE-2024-7205", "lastModified": "2024-07-31T15:15:10.993", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NO", "availabilityRequirements": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "GREEN", "recovery": "USER", "safety": "PRESENT", "subsequentSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "HIGH", "subsequentSystemIntegrity": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:U/V:D/RE:L/U:Green", "version": "4.0", "vulnerabilityResponseEffort": "LOW", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "68870bb1-d075-4169-957d-e580b18692b9", "type": "Secondary"}]}, "published": "2024-07-31T06:15:05.327", "references": [{"source": "68870bb1-d075-4169-957d-e580b18692b9", "url": "https://ewelink.cc/security-advisory-240730/"}], "sourceIdentifier": "68870bb1-d075-4169-957d-e580b18692b9", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "68870bb1-d075-4169-957d-e580b18692b9", "type": "Secondary"}]}