CVE-2022-35887 — HIGH (8.8)

Vulnerability Description

Four format string injection vulnerabilities exist in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted HTTP request can lead to memory corruption, information disclosure and denial of service. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.This vulnerability arises from format string injection via the `default_key_id` HTTP parameter, as used within the `/action/wirelessConnect` handler.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Goabode	Iota All-In-One Security Kit Firmware	6.9x

Related Weaknesses (CWE)

CWE-134

References

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1585ExploitTechnical DescriptionThird Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1585ExploitTechnical DescriptionThird Party Advisory

FAQ

What is CVE-2022-35887?

CVE-2022-35887 is a vulnerability with a CVSS score of 8.8 (HIGH). Four format string injection vulnerabilities exist in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted HTT...

How severe is CVE-2022-35887?

CVE-2022-35887 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-35887?

Check the references section above for vendor advisories and patch information. Affected products include: Goabode Iota All-In-One Security Kit Firmware.