HomeSeer HS2 Web Interface Multiple Security Vulnerabilities
BID:50978
Info
HomeSeer HS2 Web Interface Multiple Security Vulnerabilities
| Bugtraq ID: | 50978 |
| Class: | Input Validation Error |
| CVE: |
CVE-2011-4835 CVE-2011-4836 CVE-2011-4837 |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 08 2011 12:00AM |
| Updated: | Dec 16 2011 06:08PM |
| Credit: | Silent Dream |
| Vulnerable: |
HomeSeer HS2 2.5.0.20 |
| Not Vulnerable: | |
Discussion
HomeSeer HS2 Web Interface Multiple Security Vulnerabilities
HS2 web interface is prone to multiple security vulnerabilities:
1. An HTML-injection vulnerability.
2. A cross-site request-forgery vulnerability.
3. A directory-traversal vulnerability.
Attackers can exploit these issues to perform certain actions in the context of an authorized user's session, run arbitrary HTML and script code, and transfer files outside of the web directory. Other attacks may also be possible.
HomeSeer HS2 2.5.0.20 is vulnerable; prior versions may also be affected.
HS2 web interface is prone to multiple security vulnerabilities:
1. An HTML-injection vulnerability.
2. A cross-site request-forgery vulnerability.
3. A directory-traversal vulnerability.
Attackers can exploit these issues to perform certain actions in the context of an authorized user's session, run arbitrary HTML and script code, and transfer files outside of the web directory. Other attacks may also be possible.
HomeSeer HS2 2.5.0.20 is vulnerable; prior versions may also be affected.
Exploit / POC
HomeSeer HS2 Web Interface Multiple Security Vulnerabilities
An attacker can exploit these issues by enticing an unsuspecting user to follow a malicious URI. The attacker can exploit the HTML-injection issue with a browser.
The following URL is available:
An attacker can exploit these issues by enticing an unsuspecting user to follow a malicious URI. The attacker can exploit the HTML-injection issue with a browser.
The following URL is available:
Solution / Fix
HomeSeer HS2 Web Interface Multiple Security Vulnerabilities
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
HomeSeer HS2 Web Interface Multiple Security Vulnerabilities
References:
References:
- HomeSeer Download Page (HomeSeer)
- VU#796883: HomeSeer HS2 web interface multiple vulnerabilities (US-CERT)