Vulnerability Description
A Local File Inclusion (LFI) issue in the addon CUx-Daemon 1.11a of the eQ-3 Homematic CCU-Firmware 2.35.16 until 2.45.6 allows remote authenticated attackers to read sensitive files via a simple HTTP Request.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eq-3 | Cux-Daemon | >= 1.11a, <= 2.2.0 |
| Eq-3 | Ccu2 Firmware | >= 2.35.16, <= 2.45.6 |
| Eq-3 | Ccu2 | - |
Related Weaknesses (CWE)
References
- https://noskill1337.github.io/homematic-with-cux-daemon-local-file-inclusionExploitMitigationThird Party Advisory
- https://www.eq-3.com/products/homematic.htmlVendor Advisory
- https://noskill1337.github.io/homematic-with-cux-daemon-local-file-inclusionExploitMitigationThird Party Advisory
- https://www.eq-3.com/products/homematic.htmlVendor Advisory
FAQ
What is CVE-2019-14424?
CVE-2019-14424 is a vulnerability with a CVSS score of 6.5 (MEDIUM). A Local File Inclusion (LFI) issue in the addon CUx-Daemon 1.11a of the eQ-3 Homematic CCU-Firmware 2.35.16 until 2.45.6 allows remote authenticated attackers to read sensitive files via a simple HTTP...
How severe is CVE-2019-14424?
CVE-2019-14424 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-14424?
Check the references section above for vendor advisories and patch information. Affected products include: Eq-3 Cux-Daemon, Eq-3 Ccu2 Firmware, Eq-3 Ccu2.