CVE-2020-21990

Emmanuel MyDomoAtHome (MDAH) REST API REST API Domoticz ISS Gateway 0.2.40 is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specially crafted request to gain access to sensitive information.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://www.exploit-db.com/exploits/47824	Exploit Third Party Advisory VDB Entry
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5555.php	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:domoticz:mydomoathome:0.240:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2021-04-29 14:15

Updated : 2024-02-28 18:28

NVD link : CVE-2020-21990

Mitre link : CVE-2020-21990

CVE.ORG link : CVE-2020-21990

JSON object : View

Products Affected

domoticz

mydomoathome

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2020-21990", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2021-04-29T14:15:09.390", "references": [{"url": "https://www.exploit-db.com/exploits/47824", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5555.php", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Emmanuel MyDomoAtHome (MDAH) REST API REST API Domoticz ISS Gateway 0.2.40 is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specially crafted request to gain access to sensitive information."}, {"lang": "es", "value": "Emmanuel MyDomoAtHome (MDAH) REST API REST API Domoticz ISS Gateway versi\u00f3n 0.2.40 est\u00e1 afectado por una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n debido a la aplicaci\u00f3n inapropiada del control de acceso. Un atacante remoto no autenticado puede explotar esto por medio de una petici\u00f3n especialmente dise\u00f1ada para conseguir acceso a informaci\u00f3n confidencial"}], "lastModified": "2021-05-08T04:57:55.657", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:domoticz:mydomoathome:0.240:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "7A1B61A5-6347-4B3D-B6B3-53410C193AC5"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}