Vulnerabilities > EQ 3
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-07-10 | CVE-2019-10122 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware eQ-3 HomeMatic CCU2 devices before 2.41.9 and CCU3 devices before 3.43.16 have buffer overflows in the ReGa ise GmbH HTTP-Server 2.0 component, aka HMCCU-179. | 7.5 |
| 2019-07-10 | CVE-2019-10121 | Missing Authentication for Critical Function vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.15 use session IDs for authentication but lack authorization checks. | 7.5 |
| 2019-07-10 | CVE-2019-10120 | Session Fixation vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware On eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16, automatic login configuration (aka setAutoLogin) can be achieved by continuing to use a session ID after a logout, aka HMCCU-154. | 6.5 |
| 2019-07-10 | CVE-2019-10119 | Missing Authentication for Critical Function vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16 use session IDs for authentication but lack authorization checks. | 7.5 |
| 2019-05-13 | CVE-2019-9727 | Missing Authentication for Critical Function vulnerability in Eq-3 Ccu3 Firmware Unauthenticated password hash disclosure in the User.getUserPWD method in eQ-3 AG Homematic CCU3 3.43.15 and earlier allows remote attackers to retrieve the GUI password hashes of GUI users. | 5.0 |
| 2019-05-13 | CVE-2019-9726 | Path Traversal vulnerability in Eq-3 Ccu3 Firmware Directory Traversal / Arbitrary File Read in eQ-3 AG Homematic CCU3 3.43.15 and earlier allows remote attackers to read arbitrary files of the device's filesystem. | 5.0 |
| 2018-02-22 | CVE-2018-7301 | Missing Authentication for Critical Function vulnerability in Eq-3 Homematic Central Control Unit Ccu2 Firmware 2.29.22 eQ-3 AG HomeMatic CCU2 2.29.22 devices have an open XML-RPC port without authentication. | 7.5 |
| 2018-02-22 | CVE-2018-7300 | Path Traversal vulnerability in Eq-3 Homematic Ccu2 Firmware Directory Traversal / Arbitrary File Write / Remote Code Execution in the User.setLanguage method in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to write arbitrary files to the device's filesystem. | 10.0 |
| 2018-02-22 | CVE-2018-7299 | Unspecified vulnerability in Eq-3 Homematic Central Control Unit Ccu2 Firmware Remote Code Execution in the addon installation process in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows authenticated attackers to create or overwrite arbitrary files or install malicious software on the device. low complexity eq-3 | 5.2 |
| 2018-02-22 | CVE-2018-7298 | Cleartext Transmission of Sensitive Information vulnerability in Eq-3 Homematic Central Control Unit Ccu2 Firmware 2.29.22 In /usr/local/etc/config/addons/mh/loopupd.sh on eQ-3 AG HomeMatic CCU2 2.29.22 devices, software update packages are downloaded via the HTTP protocol, which does not provide any cryptographic protection of the downloaded contents. | 9.3 |