Vulnerability Details : CVE-2019-18938
eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the E-Mail AddOn through 1.6.8.c installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the save.cgi script for payload upload and the testtcl.cgi script for its execution.
Vulnerability category: Execute code
Products affected by CVE-2019-18938
- cpe:2.3:o:eq-3:homematic_ccu2_firmware:2.24.20:*:*:*:*:*:*:*
- cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.47.18:*:*:*:*:*:*:*
- cpe:2.3:a:hm_email_project:hm_email:1.6.8c:*:*:*:*:*:*:*
- cpe:2.3:a:hm_email_project:hm_email:1.6.8b:*:*:*:*:*:*:*
- cpe:2.3:a:hm_email_project:hm_email:1.6.8a:*:*:*:*:*:*:*
- cpe:2.3:a:hm_email_project:hm_email:1.6.7c:*:*:*:*:*:*:*
- cpe:2.3:a:hm_email_project:hm_email:1.6.7b:*:*:*:*:*:*:*
- cpe:2.3:a:hm_email_project:hm_email:1.6.7a:*:*:*:*:*:*:*
- cpe:2.3:a:hm_email_project:hm_email:1.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:hm_email_project:hm_email:1.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:hm_email_project:hm_email:1.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:hm_email_project:hm_email:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:hm_email_project:hm_email:1.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:hm_email_project:hm_email:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:hm_email_project:hm_email:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:hm_email_project:hm_email:1.6.8:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-18938
2.99%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 91 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-18938
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2019-18938
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-18938
-
https://psytester.github.io/CVE-2019-18938/
CVE-2019-18938 eQ-3 Homematic AddOn 'E-Mail' version 1.6.8.c and prior on CCU2 and CCU3 allows Remote Code Execution by unauthenticated attackers with access to the web interface by usage of the save.Exploit;Third Party Advisory
Jump to