Vulnerability Details : CVE-2019-18939
eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the HM-Print AddOn through 1.2a installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the exec.cgi and exec1.cgi scripts, which execute TCL script content from an HTTP POST request.
Vulnerability category: Execute code
Exploit prediction scoring system (EPSS) score for CVE-2019-18939
Probability of exploitation activity in the next 30 days: 1.29%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 84 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2019-18939
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2019-18939
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-18939
-
https://psytester.github.io/CVE-2019-18939/
CVE-2019-18939 eQ-3 Homematic AddOn 'HM-Print' version 1.2a and prior on CCU2 and CCU3 allows Remote Code Execution by unauthenticated attackers with access to the web interface by usage of exec.cgi &Exploit;Third Party Advisory
Products affected by CVE-2019-18939
- cpe:2.3:o:eq-3:homematic_ccu2_firmware:2.47.20:*:*:*:*:*:*:*
- cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.47.18:*:*:*:*:*:*:*
- cpe:2.3:a:hm-print_project:hm-print:1.2a:*:*:*:*:*:*:*
- cpe:2.3:a:hm-print_project:hm-print:1.2:*:*:*:*:*:*:*