This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Eq-3 First view 2019-08-13
Product Homematic ccu3 Firmware Last view 2021-07-22
Version Type
Update  
Edition  
Language  
Sofware Edition  
Target Software  
Target Hardware  
Other  

Activity : Overall

COMMON PLATFORM ENUMERATION: Repartition per Version

CPE Name Affected CVE
cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.41.11:*:*:*:*:*:*:* 7
cpe:2.3:o:eq-3:homematic_ccu3_firmware:1.2.0:*:*:*:*:*:*:* 6
cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.43.16:*:*:*:*:*:*:* 6
cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.45.5:*:*:*:*:*:*:* 6
cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.45.7:*:*:*:*:*:*:* 6
cpe:2.3:o:eq-3:homematic_ccu3_firmware:*:*:*:*:*:*:*:* 6
cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.47.10:*:*:*:*:*:*:* 5
cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.47.15:*:*:*:*:*:*:* 5
cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.14.11:*:*:*:*:*:*:* 5
cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.47.18:*:*:*:*:*:*:* 4

Related : CVE

  Date Alert Description
10 2021-07-22 CVE-2021-33032

A Remote Code Execution (RCE) vulnerability in the WebUI component of the eQ-3 HomeMatic CCU2 firmware up to and including version 2.57.5 and CCU3 firmware up to and including version 3.57.5 allows remote unauthenticated attackers to execute system commands as root via a simple HTTP request.

9.8 2019-11-14 CVE-2019-18939

eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the HM-Print AddOn through 1.2a installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the exec.cgi and exec1.cgi scripts, which execute TCL script content from an HTTP POST request.

9.8 2019-11-14 CVE-2019-18938

eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the E-Mail AddOn through 1.6.8.c installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the save.cgi script for payload upload and the testtcl.cgi script for its execution.

9.8 2019-11-14 CVE-2019-18937

eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the Script Parser AddOn through 1.8 installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the exec.cgi script, which executes TCL script content from an HTTP POST request.

8.8 2019-10-17 CVE-2019-15850

eQ-3 HomeMatic CCU3 firmware version 3.41.11 allows Remote Code Execution in the ReGa.runScript method. An authenticated attacker can easily execute code and compromise the system.

7.3 2019-10-17 CVE-2019-15849

eQ-3 HomeMatic CCU3 firmware 3.41.11 allows session fixation. An attacker can create session IDs and send them to the victim. After the victim logs in to the session, the attacker can use that session. The attacker could create SSH logins after a valid session and easily compromise the system.

9.8 2019-09-17 CVE-2019-16199

eQ-3 Homematic CCU2 before 2.47.18 and CCU3 before 3.47.18 allow Remote Code Execution by unauthenticated attackers with access to the web interface via an HTTP POST request to certain URLs related to the ReGa core process.

9.8 2019-08-14 CVE-2019-9585

eQ-3 Homematic CCU2 prior to 2.47.10 and CCU3 prior to 3.47.10 JSON API has Improper Access Control for Interface.***Metadata related operations, resulting in the ability to read, set and deletion of Metadata.

9.8 2019-08-14 CVE-2019-9584

eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN service configuration. This is related to improper access control for all /addons/mh/ pages.

8.2 2019-08-14 CVE-2019-9583

eQ-3 Homematic CCU2 and CCU3 obtain session IDs without login. This allows a Denial of Service and is a starting point for other attacks. Affected versions for CCU2: 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15. Affected versions for CCU3: 3.41.11, 3.43.16, 3.45.5, 3.45.7, 3.47.10, 3.47.15.

8.1 2019-08-13 CVE-2019-14986

eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn before 2.3.0 installed allow administrative operations by unauthenticated attackers with access to the web interface, because features such as File-Browser and Shell Command (as well as "Set root password") are exposed.

9.8 2019-08-13 CVE-2019-14985

eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because this interface can access the CMD_EXEC virtual device type 28.

8.1 2019-08-13 CVE-2019-14984

eQ-3 Homematic CCU2 and CCU3 with the XML-API through 1.2.0 AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because the undocumented addons/xmlapi/exec.cgi script uses CMD_EXEC to execute TCL code from a POST request.

CWE : Common Weakness Enumeration

%idName
54% (6) CWE-306 Missing Authentication for Critical Function
9% (1) CWE-425 Direct Request ('Forced Browsing')
9% (1) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
9% (1) CWE-384 Session Fixation
9% (1) CWE-287 Improper Authentication
9% (1) CWE-78 Improper Sanitization of Special Elements used in an OS Command ('O...