joshua@cyfire:~$

  • CVE-2019-15850: Remote Code Execution in HomeMatic central CCU3

    The HomeMatic CCU3 firmware version 3.41.11 has a Remote Code Execution (RCE) vulnerability in the ReGa.runScript method of the WebUI component. An authenticated attacker can easily execute code and compromise the system.

  • CVE-2019-15849: Session Fixation in HomeMatic CCU3

    HomeMatic CCU3 firmware 3.41.11 has a session fix vulnerability. An attacker can create a session ID and send it to the victim. After the victim log in to the WebUI, the attacker can use his session. The attacker could create a SSH login via the WebUI and easily compromise the...

  • CVE-2019-14423: Remote Code Execution in HomeMatic CUx-Daemon

    A Remote Code Execution (RCE) issue in the addon CUx-Daemon Version 1.5 of the HomeMatic CCU-Firmware 2.35.16 until 2.45.6 allows remote authenticated attackers to execute system commands as root remotely via a simple HTTP Request.

  • CVE-2019-14424: Local File Inclusion in HomeMatic CUx-Daemon

    A Local File Inclusion (LFI) issue in the addon CUx-Daemon Version 1.11a of the HomeMatic CCU-Firmware 2.35.16 until 2.45.6 allows remote authenticated attackers to read sensitive files via a simple HTTP Request.

  • CVE-2019-3702: Remote Code Execution in Lifesize Icon

    A Remote Code Execution issue in the DNS Query Web UI in Lifesize Icon LS_RM3_3.7.0 (2421) allows remote authenticated attackers to execute arbitrary commands via a crafted DNS Query address field in a JSON API request.