JSON Injection Risk in Samsung SmartThings Hub Products
CVE-2018-3879

8.8HIGH

Key Information:

Vendor: Samsung
Status: Smartthings Hub Sth-eth-250
Vendor: CVE Published:; 23 August 2018

Summary

A JSON injection vulnerability found in the credentials handler of the video-core HTTP server within Samsung SmartThings Hub devices allows attackers to manipulate user-controlled JSON payloads. This misconfiguration enables the execution of SQL injection attacks targeting the video-core database. By sending specifically crafted HTTP requests, an attacker can exploit this weakness, potentially leading to unauthorized access and data exposure.

Affected Version(s)

SmartThings Hub STH-ETH-250 Firmware version 0.20.17

References

https://www.talosintelligence.com/vulnerability_reports/T...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 23, 2018
Vulnerability Reserved
Jan 2, 2018