Web application abuses : Loxone Smart Home Multiple Vulnerabilities

Anfälligkeitssuche		Suche in 219043 CVE Beschreibungen und 99761 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.805298

Kategorie: Web application abuses

Titel: Loxone Smart Home Multiple Vulnerabilities - Mar15

Zusammenfassung: Loxone Smart Home is prone to multiple vulnerabilities.

Beschreibung: Summary:
Loxone Smart Home is prone to multiple vulnerabilities.

Vulnerability Insight:
Multiple flaws are due to:

- the device transmitting all data in cleartext.

- HTTP requests do not require multiple steps, explicit confirmation, or a
unique token when performing certain sensitive actions.

- the '/dev/cfg/version' script does not validate input appended to the
response header before returning it to the user.

- the '/dev/sps/io/' script does not validate input passed via the URL before
returning it to users.

- the '/dev/sps/addcmd/' script does not validate input to the description field
in a new task before returning it to users.

- the program storing user credentials in an insecure manner.

- improper restriction of JavaScript from one web page from accessing another
when the pages originate from different domains.

- an unspecified error related to malformed HTTP requests or using the
synflood metasploit module.

Vulnerability Impact:
Successful exploitation will allow
remote attackers to:

- conduct a man-in-the-middle attack.

- conduct a cross-site request forgery attack.

- conduct a cross-frame scripting (XFS) attack.

- conduct a denial-of-service (DoS) attack.

- decrypt user credentials.

- insert additional arbitrary HTTP headers.

- execute arbitrary script code in a user's browser session within the trust
relationship between their browser and the server.

Affected Software/OS:
Loxone Smart Home version 5.49 and probably prior.

Solution:
Upgrade to Loxone Smart Home version 6.3 or later.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Copyright Copyright (C) 2015 Greenbone Networks GmbH

Dies ist nur einer von 99761 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.805298
Kategorie:	Web application abuses
Titel:	Loxone Smart Home Multiple Vulnerabilities - Mar15
Zusammenfassung:	Loxone Smart Home is prone to multiple vulnerabilities.
Beschreibung:	Summary: Loxone Smart Home is prone to multiple vulnerabilities. Vulnerability Insight: Multiple flaws are due to: - the device transmitting all data in cleartext. - HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. - the '/dev/cfg/version' script does not validate input appended to the response header before returning it to the user. - the '/dev/sps/io/' script does not validate input passed via the URL before returning it to users. - the '/dev/sps/addcmd/' script does not validate input to the description field in a new task before returning it to users. - the program storing user credentials in an insecure manner. - improper restriction of JavaScript from one web page from accessing another when the pages originate from different domains. - an unspecified error related to malformed HTTP requests or using the synflood metasploit module. Vulnerability Impact: Successful exploitation will allow remote attackers to: - conduct a man-in-the-middle attack. - conduct a cross-site request forgery attack. - conduct a cross-frame scripting (XFS) attack. - conduct a denial-of-service (DoS) attack. - decrypt user credentials. - insert additional arbitrary HTTP headers. - execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. Affected Software/OS: Loxone Smart Home version 5.49 and probably prior. Solution: Upgrade to Loxone Smart Home version 6.3 or later. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Copyright	Copyright (C) 2015 Greenbone Networks GmbH