eQ-3 Homematic CCU2 and CCU3 with the XML-API up to and including 1.2.0 AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because the undocumented addons/xmlapi/exec.cgi script uses CMD_EXEC to execute TCL code from a POST request.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
eq-3 homematic_ccu2_firmware |
||
eq-3 homematic_ccu3_firmware |