Aggregates CVE and security vulnerability intelligence across all homeautomation_project-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk csrf, vendor risk cross-site scripting, and vendor risk open redirect and related problems; some flaws may lead to vendor impact session compromise.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2020-22001 | HomeAutomation 3.3.2 suffers from an authentication bypass vulnerability when spoofing client IP address using the X-Forwarded-For header with the local (loopback) IP address value allowing remote control of the smart home solution. | [email protected] | 9.8 | 1.87% | 2021-04-27 | 2024-11-21 |
| CVE-2020-22000 | HomeAutomation 3.3.2 suffers from an authenticated OS command execution vulnerability using custom command v0.1 plugin. This can be exploited with a CSRF vulnerability to execute arbitrary shell commands as the web user via the 'set_command_on' and 'set_command_off' POST parameters in '/system/systemplugins/customcommand/customcommand.plugin.php' by using an unsanitized PHP exec() function. | [email protected] | 8.0 | 1.17% | 2021-04-27 | 2024-11-21 |
| CVE-2020-21998 | In HomeAutomation 3.3.2 input passed via the 'redirect' GET parameter in 'api.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain. | [email protected] | 6.1 | 1.38% | 2021-04-27 | 2024-11-21 |
| CVE-2020-21989 | HomeAutomation 3.3.2 is affected by Cross Site Request Forgery (CSRF). The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. | [email protected] | 8.8 | 0.17% | 2021-04-27 | 2024-11-21 |
| CVE-2020-21987 | HomeAutomation 3.3.2 is affected by persistent Cross Site Scripting (XSS). XSS vulnerabilities occur when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session. | [email protected] | 6.1 | 0.19% | 2021-04-27 | 2024-11-21 |