CVE-2019-15849

eQ-3 HomeMatic CCU3 firmware 3.41.11 allows session fixation. An attacker can create session IDs and send them to the victim. After the victim logs in to the session, the attacker can use that session. The attacker could create SSH logins after a valid session and easily compromise the system.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.3 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 33%
VendorProductVersion
eq-3homematic_ccu3_firmware
3.14.11
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://noskill1337.github.io/homematic-ccu3-session-fixation
https://www.eq-3.com/products/homematic.html
https://noskill1337.github.io/homematic-ccu3-session-fixation
https://www.eq-3.com/products/homematic.html