HomeSeer Home Automation Software Multiple Web Vulnerabilities (0day)

vendor:

Home Automation Software

by:

Silent_Dream

7,5

CVSS

HIGH

Directory Traversal & Cross-Site Request Forgery

22,352

CWE

Product Name: Home Automation Software

Affected Version From: 2.5.0.49

Affected Version To: 2.5.0.49

Patch Exists: YES

Related CWE: CERT VU#796883

CPE: a:homeseer:homeseer_home_automation_software

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Win XP

2012

HomeSeer Home Automation Software Multiple Web Vulnerabilities (0day)

It is possible to retrieve the users.cfg file which contains HomeSeer usernames, access levels, and encrypted passwords by using a directory traversal attack. It is also possible to add a new admin user by tricking logged-in admin to visit a malicious URL.

Mitigation:

Update to the latest version of HomeSeer Home Automation Software

Source

HomeSeer Home Automation Software Multiple Web Vulnerabilities (0day)

Mitigation:

Exploit-DB raw data: