Vulnerabilities > EQ 3

DATE CVE VULNERABILITY TITLE RISK
2020-05-15 CVE-2020-12834 Incorrect Default Permissions vulnerability in Eq-3 Ccu3 Firmware and Homematic Ccu2 Firmware
eQ-3 Homematic Central Control Unit (CCU)2 through 2.51.6 and CCU3 through 3.51.6 allow Remote Code Execution in the JSON API Method ReGa.runScript, by unauthenticated attackers with access to the web interface, due to the default auto-login feature being enabled during first-time setup (or factory reset).
network
low complexity
eq-3 CWE-276
7.5
2019-11-14 CVE-2019-18939 Improper Input Validation vulnerability in multiple products
eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the HM-Print AddOn through 1.2a installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the exec.cgi and exec1.cgi scripts, which execute TCL script content from an HTTP POST request.
network
low complexity
hm-print-project eq-3 CWE-20
7.5
2019-11-14 CVE-2019-18938 Improper Input Validation vulnerability in multiple products
eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the E-Mail AddOn through 1.6.8.c installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the save.cgi script for payload upload and the testtcl.cgi script for its execution.
network
low complexity
hm-email-project eq-3 CWE-20
7.5
2019-11-14 CVE-2019-18937 Improper Input Validation vulnerability in multiple products
eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the Script Parser AddOn through 1.8 installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the exec.cgi script, which executes TCL script content from an HTTP POST request.
network
low complexity
scriptparser-project eq-3 CWE-20
7.5
2019-10-17 CVE-2019-15850 Missing Authorization vulnerability in Eq-3 Homematic Ccu3 Firmware 3.41.11
eQ-3 HomeMatic CCU3 firmware version 3.41.11 allows Remote Code Execution in the ReGa.runScript method.
network
low complexity
eq-3 CWE-862
critical
9.0
2019-10-17 CVE-2019-15849 Session Fixation vulnerability in Eq-3 Homematic Ccu3 Firmware 3.14.11
eQ-3 HomeMatic CCU3 firmware 3.41.11 allows session fixation.
network
eq-3 CWE-384
4.9
2019-10-17 CVE-2019-14424 Information Exposure vulnerability in Eq-3 Ccu2 Firmware and Cux-Daemon
A Local File Inclusion (LFI) issue in the addon CUx-Daemon 1.11a of the eQ-3 Homematic CCU-Firmware 2.35.16 until 2.45.6 allows remote authenticated attackers to read sensitive files via a simple HTTP Request.
network
low complexity
eq-3 CWE-200
4.0
2019-10-17 CVE-2019-14423 Code Injection vulnerability in Eq-3 Ccu2 Firmware and Cux-Daemon
A Remote Code Execution (RCE) issue in the addon CUx-Daemon 1.11a of the eQ-3 Homematic CCU-Firmware 2.35.16 until 2.45.6 allows remote authenticated attackers to execute system commands as root remotely via a simple HTTP request.
network
low complexity
eq-3 CWE-94
critical
9.0
2019-09-17 CVE-2019-16199 Missing Authentication FOR Critical Function vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware
eQ-3 Homematic CCU2 before 2.47.18 and CCU3 before 3.47.18 allow Remote Code Execution by unauthenticated attackers with access to the web interface via an HTTP POST request to certain URLs related to the ReGa core process.
network
low complexity
eq-3 CWE-306
7.5
2019-08-14 CVE-2019-9585 Missing Authentication FOR Critical Function vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware
eQ-3 Homematic CCU2 prior to 2.47.10 and CCU3 prior to 3.47.10 JSON API has Improper Access Control for Interface.***Metadata related operations, resulting in the ability to read, set and deletion of Metadata.
network
low complexity
eq-3 CWE-306
7.5