header-logo
Suggest Exploit
vendor:
HomeSeer HS2
by:
Unknown
7.5
CVSS
HIGH
HTML-injection, cross-site request-forgery, directory-traversal
79, 352, 22
CWE
Product Name: HomeSeer HS2
Affected Version From: Unknown
Affected Version To: 2.5.0.20
Patch Exists: YES
Related CWE:
CPE: a:homeseer:homeseer_hs2:2.5.0.20
Metasploit:
Other Scripts:
Platforms Tested: Unknown
Unknown

Multiple vulnerabilities in HS2 web interface

Attackers can exploit these vulnerabilities to perform actions as an authorized user, run arbitrary HTML and script code, and transfer files outside of the web directory.

Mitigation:

Update to HomeSeer HS2 version 2.5.0.20 or later
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/50978/info

HS2 web interface is prone to multiple security vulnerabilities:

1. An HTML-injection vulnerability.
2. A cross-site request-forgery vulnerability.
3. A directory-traversal vulnerability.

Attackers can exploit these issues to perform certain actions in the context of an authorized user's session, run arbitrary HTML and script code, and transfer files outside of the web directory. Other attacks may also be possible.

HomeSeer HS2 2.5.0.20 is vulnerable; prior versions may also be affected. 

http://www.example.com/example<script>alert(document.cookie)</script>

Navigation

Suggest Exploit

Services By CQR