Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for eWeLink Cloud Service by CoolKit

    CVE-2024-7205 (GCVE-0-2024-7205)

    Vulnerability from nvd – Published: 2024-07-31 05:51 – Updated: 2024-07-31 14:56 Exclusively Hosted Service
    VLAI
    Title
    sharing unnecessary device-sensitive information allows Secondary user able to take over devices as primary user
    Summary
    When the device is shared, the homepage module are before 2.19.0  in eWeLink Cloud Service allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-201 - Insertion of Sensitive Information Into Sent Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    CoolKit eWeLink Cloud Service Affected: 2.0.0 , < 2.19.0 (custom)
    Create a notification for this product.
    coolkit ewelink Affected: 0 , < 2.19.0 (custom)
        cpe:2.3:a:coolkit:ewelink:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-07-30 11:20
    Credits
    Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd. Jerin Sunny, Security Researcher, FEV India Pvt Ltd. Shakir Zari,Security Researcher,FEV India Pvt Ltd.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:coolkit:ewelink:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ewelink",
                "vendor": "coolkit",
                "versions": [
                  {
                    "lessThan": "2.19.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7205",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-31T14:43:03.470070Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-31T14:56:35.429Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "homepage"
              ],
              "platforms": [
                "Linux"
              ],
              "product": "eWeLink Cloud Service",
              "vendor": "CoolKit",
              "versions": [
                {
                  "lessThan": "2.19.0",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd."
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Jerin Sunny, Security Researcher, FEV India Pvt Ltd."
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Shakir Zari,Security Researcher,FEV India Pvt Ltd."
            }
          ],
          "datePublic": "2024-07-30T11:20:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u0026nbsp;When the device is shared,\u0026nbsp;the homepage module are before 2.19.0 \u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ein eWeLink Cloud Service\u0026nbsp;\u003c/span\u003eallows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information."
                }
              ],
              "value": "When the device is shared,\u00a0the homepage module are before 2.19.0 \u00a0in eWeLink Cloud Service\u00a0allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-383",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-383 Harvesting Information via API Event Monitoring"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NO",
                "Recovery": "USER",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "GREEN",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "valueDensity": "DIFFUSE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:N/R:U/V:D/RE:L/U:Green",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-31T05:51:03.427Z",
            "orgId": "68870bb1-d075-4169-957d-e580b18692b9",
            "shortName": "CoolKit"
          },
          "references": [
            {
              "url": "https://ewelink.cc/security-advisory-240730/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The cloud has fixed the issue in the new version, and users do not need to do anything.\u003cbr\u003e"
                }
              ],
              "value": "The cloud has fixed the issue in the new version, and users do not need to do anything."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "tags": [
            "exclusively-hosted-service"
          ],
          "title": "sharing unnecessary device-sensitive information allows Secondary user able to take over devices as primary user",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "68870bb1-d075-4169-957d-e580b18692b9",
        "assignerShortName": "CoolKit",
        "cveId": "CVE-2024-7205",
        "datePublished": "2024-07-31T05:51:03.427Z",
        "dateReserved": "2024-07-29T11:11:17.421Z",
        "dateUpdated": "2024-07-31T14:56:35.429Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7205 (GCVE-0-2024-7205)

    Vulnerability from cvelistv5 – Published: 2024-07-31 05:51 – Updated: 2024-07-31 14:56 Exclusively Hosted Service
    VLAI
    Title
    sharing unnecessary device-sensitive information allows Secondary user able to take over devices as primary user
    Summary
    When the device is shared, the homepage module are before 2.19.0  in eWeLink Cloud Service allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-201 - Insertion of Sensitive Information Into Sent Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    CoolKit eWeLink Cloud Service Affected: 2.0.0 , < 2.19.0 (custom)
    Create a notification for this product.
    coolkit ewelink Affected: 0 , < 2.19.0 (custom)
        cpe:2.3:a:coolkit:ewelink:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-07-30 11:20
    Credits
    Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd. Jerin Sunny, Security Researcher, FEV India Pvt Ltd. Shakir Zari,Security Researcher,FEV India Pvt Ltd.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:coolkit:ewelink:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ewelink",
                "vendor": "coolkit",
                "versions": [
                  {
                    "lessThan": "2.19.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7205",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-31T14:43:03.470070Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-31T14:56:35.429Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "homepage"
              ],
              "platforms": [
                "Linux"
              ],
              "product": "eWeLink Cloud Service",
              "vendor": "CoolKit",
              "versions": [
                {
                  "lessThan": "2.19.0",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd."
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Jerin Sunny, Security Researcher, FEV India Pvt Ltd."
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Shakir Zari,Security Researcher,FEV India Pvt Ltd."
            }
          ],
          "datePublic": "2024-07-30T11:20:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u0026nbsp;When the device is shared,\u0026nbsp;the homepage module are before 2.19.0 \u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ein eWeLink Cloud Service\u0026nbsp;\u003c/span\u003eallows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information."
                }
              ],
              "value": "When the device is shared,\u00a0the homepage module are before 2.19.0 \u00a0in eWeLink Cloud Service\u00a0allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-383",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-383 Harvesting Information via API Event Monitoring"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NO",
                "Recovery": "USER",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "GREEN",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "valueDensity": "DIFFUSE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:N/R:U/V:D/RE:L/U:Green",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-31T05:51:03.427Z",
            "orgId": "68870bb1-d075-4169-957d-e580b18692b9",
            "shortName": "CoolKit"
          },
          "references": [
            {
              "url": "https://ewelink.cc/security-advisory-240730/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The cloud has fixed the issue in the new version, and users do not need to do anything.\u003cbr\u003e"
                }
              ],
              "value": "The cloud has fixed the issue in the new version, and users do not need to do anything."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "tags": [
            "exclusively-hosted-service"
          ],
          "title": "sharing unnecessary device-sensitive information allows Secondary user able to take over devices as primary user",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "68870bb1-d075-4169-957d-e580b18692b9",
        "assignerShortName": "CoolKit",
        "cveId": "CVE-2024-7205",
        "datePublished": "2024-07-31T05:51:03.427Z",
        "dateReserved": "2024-07-29T11:11:17.421Z",
        "dateUpdated": "2024-07-31T14:56:35.429Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }