CVE Vulnerabilities

CVE-2019-13030

Direct Request ('Forced Browsing')

Published: Aug 14, 2019 | Modified: Aug 24, 2020
CVSS 3.x
8.2
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
CVSS 2.x
6.4 MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:P
RedHat/V2
RedHat/V3
Ubuntu

eQ-3 Homematic CCU3 AddOn Mediola NEO Server for Homematic CCU3 prior to 2.4.5 allows uncontrolled admin access to start or stop the Node.js process, resulting in the ability to obtain mediola configuration details. This is related to improper access control for addons configuration pages and a missing check in rc.d/97NeoServer.

Weakness

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Affected Software

Name Vendor Start Version End Version
Neo_server Mediola * 2.4.5 (excluding)

Potential Mitigations

References