CVE-2019-11063
SmartHome application has a broken access control vulnerability in its Web API Server
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
A broken access control vulnerability in SmartHome app (Android versions up to 3.0.42_190515, ios versions up to 2.0.22) allows an attacker in the same local area network to list user accounts and control IoT devices that connect with its gateway (HG100) via http://[target]/smarthome/devicecontrol without any authentication. CVSS 3.0 base score 10 (Confidentiality, Integrity and Availability impacts). CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Una vulnerabilidad de control de acceso interrumpida en la aplicación SmartHome (versiones de Android hasta 3.0.42_190515, versiones de iOS hasta 2.0.22) permite a un atacante dentro de la misma red de área local enumerar cuentas de usuario y controlar dispositivos IoT que conectan con su puerta de enlace (HG100) por medio de http://[target]/smarthome/devicecontrol sin ninguna autenticación. CVSS 3.0 Puntuación Base 10 (Impactos de Confidencialidad, Integridad y Disponibilidad). Vector CVSS: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-04-09 CVE Reserved
- 2019-08-29 CVE Published
- 2024-08-13 EPSS Updated
- 2024-09-16 CVE Updated
- 2024-09-16 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-306: Missing Authentication for Critical Function
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
http://surl.twcert.org.tw/5LWQJ | Third Party Advisory | |
https://tvn.twcert.org.tw/taiwanvn/TVN-201908014 | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://github.com/tim124058/ASUS-SmartHome-Exploit | 2024-09-16 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Asus Search vendor "Asus" | Smarthome Search vendor "Asus" for product "Smarthome" | < 2.0.22 Search vendor "Asus" for product "Smarthome" and version " < 2.0.22" | iphone_os |
Affected
| ||||||
Asus Search vendor "Asus" | Smarthome Search vendor "Asus" for product "Smarthome" | < 3.0.42_190515 Search vendor "Asus" for product "Smarthome" and version " < 3.0.42_190515" | android |
Affected
|