Vulnerability Description
On eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16, automatic login configuration (aka setAutoLogin) can be achieved by continuing to use a session ID after a logout, aka HMCCU-154.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eq-3 | Ccu3 Firmware | < 3.43.16 |
| Eq-3 | Ccu3 | - |
| Eq-3 | Ccu2 Firmware | < 2.41.8 |
| Eq-3 | Ccu2 | - |
Related Weaknesses (CWE)
References
- https://www.eq-3.de/Downloads/Software/CCU3-Firmware/CCU3-3.43.16/CCU3-ChangelogRelease NotesVendor Advisory
- https://www.eq-3.de/Downloads/Software/HM-CCU2-Firmware_Updates/HM-CCU-2.41.9/HMRelease NotesVendor Advisory
- https://www.eq-3.de/Downloads/Software/CCU3-Firmware/CCU3-3.43.16/CCU3-ChangelogRelease NotesVendor Advisory
- https://www.eq-3.de/Downloads/Software/HM-CCU2-Firmware_Updates/HM-CCU-2.41.9/HMRelease NotesVendor Advisory
FAQ
What is CVE-2019-10120?
CVE-2019-10120 is a vulnerability with a CVSS score of 8.8 (HIGH). On eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16, automatic login configuration (aka setAutoLogin) can be achieved by continuing to use a session ID after a logout, aka HMC...
How severe is CVE-2019-10120?
CVE-2019-10120 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-10120?
Check the references section above for vendor advisories and patch information. Affected products include: Eq-3 Ccu3 Firmware, Eq-3 Ccu3, Eq-3 Ccu2 Firmware, Eq-3 Ccu2.