// For flags

CVE-2019-11063

SmartHome application has a broken access control vulnerability in its Web API Server

Severity Score

8.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A broken access control vulnerability in SmartHome app (Android versions up to 3.0.42_190515, ios versions up to 2.0.22) allows an attacker in the same local area network to list user accounts and control IoT devices that connect with its gateway (HG100) via http://[target]/smarthome/devicecontrol without any authentication. CVSS 3.0 base score 10 (Confidentiality, Integrity and Availability impacts). CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Una vulnerabilidad de control de acceso interrumpida en la aplicación SmartHome (versiones de Android hasta 3.0.42_190515, versiones de iOS hasta 2.0.22) permite a un atacante dentro de la misma red de área local enumerar cuentas de usuario y controlar dispositivos IoT que conectan con su puerta de enlace (HG100) por medio de http://[target]/smarthome/devicecontrol sin ninguna autenticación. CVSS 3.0 Puntuación Base 10 (Impactos de Confidencialidad, Integridad y Disponibilidad). Vector CVSS: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

*Credits: timhuang
CVSS Scores
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Adjacent
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-04-09 CVE Reserved
  • 2019-08-29 CVE Published
  • 2024-08-13 EPSS Updated
  • 2024-09-16 CVE Updated
  • 2024-09-16 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-306: Missing Authentication for Critical Function
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Asus
Search vendor "Asus"
Smarthome
Search vendor "Asus" for product "Smarthome"
< 2.0.22
Search vendor "Asus" for product "Smarthome" and version " < 2.0.22"
iphone_os
Affected
Asus
Search vendor "Asus"
Smarthome
Search vendor "Asus" for product "Smarthome"
< 3.0.42_190515
Search vendor "Asus" for product "Smarthome" and version " < 3.0.42_190515"
android
Affected