CVE-2022-35886

Опубликовано: 25 окт. 2022

Источник: nvd

CVSS3: 8.2

CVSS3: 8.8

EPSS Низкий

Описание

Four format string injection vulnerabilities exist in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted HTTP request can lead to memory corruption, information disclosure and denial of service. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.This vulnerability arises from format string injection via the default_key_id and key HTTP parameters, as used within the /action/wirelessConnect handler.

Ссылки

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1585
Exploit
Technical Description
Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1585
Exploit
Technical Description
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:o:goabode:iota_all-in-one_security_kit_firmware:6.9x:*:*:*:*:*:*:*

cpe:2.3:o:goabode:iota_all-in-one_security_kit_firmware:6.9z:*:*:*:*:*:*:*

EPSS

Процентиль: 42%

0.00194

Низкий

8.2 High

CVSS3

8.8 High

CVSS3

Дефекты

CWE-134

Связанные уязвимости

GHSA-29j9-ccp8-qccg

CVSS3: 8.8

github

почти 3 года назад

Four format string injection vulnerabilities exist in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted HTTP request can lead to memory corruption, information disclosure and denial of service. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.This vulnerability arises from format string injection via the `default_key_id` and `key` HTTP parameters, as used within the `/action/wirelessConnect` handler.

EPSS

Процентиль: 42%

0.00194

Низкий

8.2 High

CVSS3

8.8 High

CVSS3

Дефекты

CWE-134