CyberSec.Space Logo
Back to CVE Browser

CVE-2019-11063

CRITICAL
10.0
CVSS Severity Score
EPSS Score0.1060%
EPSS Percentile10.95th
PublishedAug 29, 2019
Last ModifiedNov 21, 2024

Vulnerability Description

A broken access control vulnerability in SmartHome app (Android versions up to 3.0.42_190515, ios versions up to 2.0.22) allows an attacker in the same local area network to list user accounts and control IoT devices that connect with its gateway (HG100) via http://[target]/smarthome/devicecontrol without any authentication. CVSS 3.0 base score 10 (Confidentiality, Integrity and Availability impacts). CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Affected Platforms (CPE)

πŸ“¦
Asus

Smarthome

< 2.0.22
πŸ“¦
Asus

Smarthome

< 3.0.42_190515

References & Advisories

πŸ”— http://surl.twcert.org.tw/5LWQJ
πŸ”— https://github.com/tim124058/ASUS-SmartHome-Exploit/
πŸ”— https://tvn.twcert.org.tw/taiwanvn/TVN-201908014
πŸ”— http://surl.twcert.org.tw/5LWQJ
πŸ”— https://github.com/tim124058/ASUS-SmartHome-Exploit/
πŸ”— https://tvn.twcert.org.tw/taiwanvn/TVN-201908014

Related Vulnerabilities

CVE-2020-95509.8

Rubetek SmartHome 2020 devices use unencrypted 433 MHz communication between controllers and beacons, allowing an attacker to snif...

CVE-2020-141147.5

information leakage vulnerability exists in the Xiaomi SmartHome APP. This vulnerability is caused by illegal calls of some sensit...

CVE-2017-27047.5

Smarthome 1.0.2.364 and earlier versions,HiAPP 7.3.0.303 and earlier versions,HwParentControl 2.0.0 and earlier versions,HwParentC...

CVE-2021-266387.3

Improper Authentication vulnerability in S&D smarthome(smartcare) application can cause authentication bypass and information expo...