Vulnerabilities > EQ 3 > Medium

DATE CVE VULNERABILITY TITLE RISK
2019-10-17 CVE-2019-15849 Session Fixation vulnerability in Eq-3 Homematic Ccu3 Firmware 3.14.11
eQ-3 HomeMatic CCU3 firmware 3.41.11 allows session fixation.
network
eq-3 CWE-384
4.9
4.9
2019-10-17 CVE-2019-14424 Information Exposure vulnerability in Eq-3 Ccu2 Firmware and Cux-Daemon
A Local File Inclusion (LFI) issue in the addon CUx-Daemon 1.11a of the eQ-3 Homematic CCU-Firmware 2.35.16 until 2.45.6 allows remote authenticated attackers to read sensitive files via a simple HTTP Request.
network
low complexity
eq-3 CWE-200
4.0
4.0
2019-08-14 CVE-2019-9583 Resource Exhaustion vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware
eQ-3 Homematic CCU2 and CCU3 obtain session IDs without login.
network
low complexity
eq-3 CWE-400
6.4
6.4
2019-08-13 CVE-2019-14984 Missing Authentication for Critical Function vulnerability in Eq-3 Homematic Ccu2 Firmware and Homematic Ccu3 Firmware
eQ-3 Homematic CCU2 and CCU3 with the XML-API through 1.2.0 AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because the undocumented addons/xmlapi/exec.cgi script uses CMD_EXEC to execute TCL code from a POST request.
network
eq-3 CWE-306
6.8
6.8
2019-08-07 CVE-2019-14474 Improper Input Validation vulnerability in Eq-3 Ccu3 Firmware
eQ-3 Homematic CCU3 3.47.15 and prior has Improper Input Validation in function 'Call()' of ReGa core logic process, resulting in the ability to start a Denial of Service.
network
low complexity
eq-3 CWE-20
5.0
5.0
2019-08-06 CVE-2019-14473 Missing Authorization vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware
eQ-3 Homematic CCU2 and CCU3 use session IDs for authentication but lack authorization checks.
network
low complexity
eq-3 CWE-862
6.5
6.5
2019-08-05 CVE-2019-14475 Missing Authorization vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware
eQ-3 Homematic CCU2 2.47.15 and prior and CCU3 3.47.15 and prior use session IDs for authentication but lack authorization checks.
network
low complexity
eq-3 CWE-862
5.0
5.0
2019-07-10 CVE-2019-10120 Session Fixation vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware
On eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16, automatic login configuration (aka setAutoLogin) can be achieved by continuing to use a session ID after a logout, aka HMCCU-154.
network
low complexity
eq-3 CWE-384
6.5
6.5
2019-05-13 CVE-2019-9727 Missing Authentication for Critical Function vulnerability in Eq-3 Ccu3 Firmware
Unauthenticated password hash disclosure in the User.getUserPWD method in eQ-3 AG Homematic CCU3 3.43.15 and earlier allows remote attackers to retrieve the GUI password hashes of GUI users.
network
low complexity
eq-3 CWE-306
5.0
5.0
2019-05-13 CVE-2019-9726 Path Traversal vulnerability in Eq-3 Ccu3 Firmware
Directory Traversal / Arbitrary File Read in eQ-3 AG Homematic CCU3 3.43.15 and earlier allows remote attackers to read arbitrary files of the device's filesystem.
network
low complexity
eq-3 CWE-22
5.0
5.0