Web application abuses : Loxone Smart Home Multiple Vulnerabilities (Mar 2015)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.805298

Categoría: Web application abuses

Título: Loxone Smart Home Multiple Vulnerabilities (Mar 2015)

Resumen: Loxone Smart Home is prone to multiple vulnerabilities.

Descripción: Summary:
Loxone Smart Home is prone to multiple vulnerabilities.

Vulnerability Insight:
Multiple flaws are due to:

- the device transmitting all data in cleartext.

- HTTP requests do not require multiple steps, explicit confirmation, or a
unique token when performing certain sensitive actions.

- the '/dev/cfg/version' script does not validate input appended to the
response header before returning it to the user.

- the '/dev/sps/io/' script does not validate input passed via the URL before
returning it to users.

- the '/dev/sps/addcmd/' script does not validate input to the description field
in a new task before returning it to users.

- the program storing user credentials in an insecure manner.

- improper restriction of JavaScript from one web page from accessing another
when the pages originate from different domains.

- an unspecified error related to malformed HTTP requests or using the
synflood metasploit module.

Vulnerability Impact:
Successful exploitation will allow
remote attackers to:

- conduct a man-in-the-middle attack.

- conduct a cross-site request forgery attack.

- conduct a cross-frame scripting (XFS) attack.

- conduct a denial-of-service (DoS) attack.

- decrypt user credentials.

- insert additional arbitrary HTTP headers.

- execute arbitrary script code in a user's browser session within the trust
relationship between their browser and the server.

Affected Software/OS:
Loxone Smart Home version 5.49 and probably prior.

Solution:
Upgrade to Loxone Smart Home version 6.3 or later.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Copyright Copyright (C) 2015 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.805298
Categoría:	Web application abuses
Título:	Loxone Smart Home Multiple Vulnerabilities (Mar 2015)
Resumen:	Loxone Smart Home is prone to multiple vulnerabilities.
Descripción:	Summary: Loxone Smart Home is prone to multiple vulnerabilities. Vulnerability Insight: Multiple flaws are due to: - the device transmitting all data in cleartext. - HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. - the '/dev/cfg/version' script does not validate input appended to the response header before returning it to the user. - the '/dev/sps/io/' script does not validate input passed via the URL before returning it to users. - the '/dev/sps/addcmd/' script does not validate input to the description field in a new task before returning it to users. - the program storing user credentials in an insecure manner. - improper restriction of JavaScript from one web page from accessing another when the pages originate from different domains. - an unspecified error related to malformed HTTP requests or using the synflood metasploit module. Vulnerability Impact: Successful exploitation will allow remote attackers to: - conduct a man-in-the-middle attack. - conduct a cross-site request forgery attack. - conduct a cross-frame scripting (XFS) attack. - conduct a denial-of-service (DoS) attack. - decrypt user credentials. - insert additional arbitrary HTTP headers. - execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. Affected Software/OS: Loxone Smart Home version 5.49 and probably prior. Solution: Upgrade to Loxone Smart Home version 6.3 or later. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Copyright	Copyright (C) 2015 Greenbone AG