Vulnerability Details : CVE-2019-11334
An authentication bypass in website post requests in the Tzumi Electronics Klic Lock application 1.0.9 for mobile devices allows attackers to access resources (that are not otherwise accessible without proper authentication) via capture-replay. Physically proximate attackers can use this information to unlock unauthorized Tzumi Electronics Klic Smart Padlock Model 5686 Firmware 6.2.
Products affected by CVE-2019-11334
- cpe:2.3:a:tzumi:klic_lock:1.0.9:*:*:*:*:*:*:*
- cpe:2.3:o:tzumi:klic_smart_padlock_model_5686_firmware:6.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-11334
0.38%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-11334
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
3.7
|
LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
2.2
|
1.4
|
NIST |
CWE ids for CVE-2019-11334
-
A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-11334
-
http://packetstormsecurity.com/files/153280/Tzumi-Electronics-Klic-Lock-Authentication-Bypass.html
Tzumi Electronics Klic Lock Authentication Bypass ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://github.com/whitehatdefenses/KlicUnLock
GitHub - whitehatdefenses/KlicUnLockExploit;Third Party Advisory
Jump to