XML External Entity Vulnerability in Belkin WeMo Home Automation Firmware
CVE-2013-6948

Currently unrated

Key Information:

Vendor: Belkin
Status: Wemo Home Automation Firmware
Vendor: CVE Published:; 22 February 2014

What is CVE-2013-6948?

The peerAddresses API in the Belkin WeMo Home Automation firmware versions prior to 3949 is vulnerable to an XML External Entity (XXE) attack. This vulnerability enables remote attackers to exploit the API and gain unauthorized access to read sensitive files by crafting an XML document that includes an external entity declaration. The issue arises from improper validation of user-supplied input, exposing the system to potential data leakage and security risks.

References

http://www.ioactive.com/pdfs/IOActive_Belkin-advisory-lit...

x_refsource_MISC

http://www.kb.cert.org/vuls/id/656302

third-party-advisoryx_refsource_CERT-VN

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 22, 2014
Vulnerability Reserved
Dec 4, 2013