UnAuthenticated Data Modification or Theft in CometVisu Add-on for openHAB Prior to v4.2.1
CVE-2024-42470
9.1CRITICAL
Key Information
- Vendor
- Openhab
- Status
- Openhab-webui
- Vendor
- CVE Published:
- 12 August 2024
Summary
openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. Several endpoints in versions prior to 4.2.1 of the CometVisu add-on of openHAB don't require authentication. This makes it possible for unauthenticated attackers to modify or to steal sensitive data. This issue may lead to sensitive information disclosure. Users should upgrade to version 4.2.1 of the CometVisu add-on of openHAB to receive a patch.
Affected Version(s)
openhab-webui = < 4.2.1
CVSS V3.1
Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published.
Vulnerability Reserved.
Collectors
NVD DatabaseMitre Database