Find a vulnerability
Search criteria
13 vulnerabilities by coolkit
VAR-202105-0825
Vulnerability from variot - Updated: 2025-01-30 22:31Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process. eWeLink Mobile application Contains an improper authentication vulnerability.Information may be obtained
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202105-0825",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "ewelink",
"scope": "lte",
"trust": 1.0,
"vendor": "coolkit",
"version": "4.9.1"
},
{
"model": "ewelink",
"scope": "lte",
"trust": 1.0,
"vendor": "coolkit",
"version": "4.9.2"
},
{
"model": "ewelink",
"scope": "lte",
"trust": 0.8,
"vendor": "coolkit",
"version": "4.9.2 until (android)"
},
{
"model": "ewelink",
"scope": "lte",
"trust": 0.8,
"vendor": "coolkit",
"version": "4.9.1 until (ios)"
},
{
"model": "ewelink",
"scope": "eq",
"trust": 0.8,
"vendor": "coolkit",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-006558"
},
{
"db": "NVD",
"id": "CVE-2021-27941"
}
]
},
"cve": "CVE-2021-27941",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"id": "CVE-2021-27941",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "LOW",
"trust": 1.9,
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2021-27941",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.6,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-27941",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-27941",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2021-27941",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-202105-291",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2021-27941",
"trust": 0.1,
"value": "LOW"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2021-27941"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006558"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-291"
},
{
"db": "NVD",
"id": "CVE-2021-27941"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Unconstrained Web access to the device\u0027s private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process. eWeLink Mobile application Contains an improper authentication vulnerability.Information may be obtained",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-27941"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006558"
},
{
"db": "VULMON",
"id": "CVE-2021-27941"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-27941",
"trust": 3.4
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006558",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202105-291",
"trust": 0.6
},
{
"db": "OTHER",
"id": "NONE",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2021-27941",
"trust": 0.1
}
],
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "VULMON",
"id": "CVE-2021-27941"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006558"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-291"
},
{
"db": "NVD",
"id": "CVE-2021-27941"
}
]
},
"id": "VAR-202105-0825",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "OTHER",
"id": null
}
],
"trust": 0.35
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"vehicle device"
],
"sub_category": "mobile device",
"trust": 0.1
}
],
"sources": [
{
"db": "OTHER",
"id": null
}
]
},
"last_update_date": "2025-01-30T22:31:50.164000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "eWeLink-Smart\u00a0Home Google\u00a0Play",
"trust": 0.8,
"url": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158"
},
{
"title": "eWeLink-QR-Code",
"trust": 0.1,
"url": "https://github.com/salgio/eWeLink-QR-Code "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2021-27941"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006558"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-522",
"trust": 1.0
},
{
"problemtype": "Bad authentication (CWE-863) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-006558"
},
{
"db": "NVD",
"id": "CVE-2021-27941"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://github.com/salgio/ewelink-qr-code"
},
{
"trust": 1.7,
"url": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158"
},
{
"trust": 1.7,
"url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_us"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-27941"
},
{
"trust": 0.1,
"url": "https://ieeexplore.ieee.org/abstract/document/10769424"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/863.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "VULMON",
"id": "CVE-2021-27941"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006558"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-291"
},
{
"db": "NVD",
"id": "CVE-2021-27941"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "OTHER",
"id": null
},
{
"db": "VULMON",
"id": "CVE-2021-27941"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006558"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-291"
},
{
"db": "NVD",
"id": "CVE-2021-27941"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-05-06T00:00:00",
"db": "VULMON",
"id": "CVE-2021-27941"
},
{
"date": "2022-01-13T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-006558"
},
{
"date": "2021-05-06T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202105-291"
},
{
"date": "2021-05-06T21:15:07.597000",
"db": "NVD",
"id": "CVE-2021-27941"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-05-14T00:00:00",
"db": "VULMON",
"id": "CVE-2021-27941"
},
{
"date": "2022-01-13T03:29:00",
"db": "JVNDB",
"id": "JVNDB-2021-006558"
},
{
"date": "2022-07-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202105-291"
},
{
"date": "2022-07-12T17:42:04.277000",
"db": "NVD",
"id": "CVE-2021-27941"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "eWeLink\u00a0 Mobile application \u00a0 Authentication Vulnerability in Microsoft",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-006558"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202105-291"
}
],
"trust": 0.6
}
}
VAR-202102-0089
Vulnerability from variot - Updated: 2024-11-23 22:37Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process. eWeLink Mobile applications contain vulnerabilities in the use of cryptographic algorithms.Information may be obtained
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202102-0089",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "ewelink",
"scope": "lte",
"trust": 1.0,
"vendor": "coolkit",
"version": "4.9.2"
},
{
"model": "ewelink",
"scope": "lte",
"trust": 1.0,
"vendor": "coolkit",
"version": "4.9.1"
},
{
"model": "ewelink",
"scope": "lte",
"trust": 0.8,
"vendor": "coolkit",
"version": "4.9.1 and earlier (ios)"
},
{
"model": "ewelink",
"scope": "eq",
"trust": 0.8,
"vendor": "coolkit",
"version": null
},
{
"model": "ewelink",
"scope": "lte",
"trust": 0.8,
"vendor": "coolkit",
"version": "4.9.2 and earlier (android)"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-016233"
},
{
"db": "NVD",
"id": "CVE-2020-12702"
}
]
},
"cve": "CVE-2020-12702",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"id": "CVE-2020-12702",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "LOW",
"trust": 1.9,
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2020-12702",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.6,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2020-12702",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-12702",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2020-12702",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-202102-1578",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2020-12702",
"trust": 0.1,
"value": "LOW"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-12702"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-016233"
},
{
"db": "CNNVD",
"id": "CNNVD-202102-1578"
},
{
"db": "NVD",
"id": "CVE-2020-12702"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process. eWeLink Mobile applications contain vulnerabilities in the use of cryptographic algorithms.Information may be obtained",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-12702"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-016233"
},
{
"db": "VULMON",
"id": "CVE-2020-12702"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-12702",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2020-016233",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202102-1578",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2020-12702",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-12702"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-016233"
},
{
"db": "CNNVD",
"id": "CNNVD-202102-1578"
},
{
"db": "NVD",
"id": "CVE-2020-12702"
}
]
},
"id": "VAR-202102-0089",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.25
},
"last_update_date": "2024-11-23T22:37:05.531000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "eWeLink\u00a0-\u00a0Smart\u00a0Home",
"trust": 0.8,
"url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
},
{
"title": "eWeLink mobile application Fixes for encryption problem vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=143434"
},
{
"title": "ESPTouchCatcher",
"trust": 0.1,
"url": "https://github.com/salgio/ESPTouchCatcher "
},
{
"title": "PoC",
"trust": 0.1,
"url": "https://github.com/Jonathan-Elias/PoC "
},
{
"title": "PoC-in-GitHub",
"trust": 0.1,
"url": "https://github.com/developer3000S/PoC-in-GitHub "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-12702"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-016233"
},
{
"db": "CNNVD",
"id": "CNNVD-202102-1578"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-327",
"trust": 1.0
},
{
"problemtype": "Use of incomplete or dangerous cryptographic algorithms (CWE-327) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-016233"
},
{
"db": "NVD",
"id": "CVE-2020-12702"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://github.com/salgio/esptouchcatcher"
},
{
"trust": 1.7,
"url": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965"
},
{
"trust": 1.7,
"url": "https://www.youtube.com/watch?v=dghyh7wy6ie\u0026feature=youtu.be"
},
{
"trust": 1.7,
"url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_us"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-12702"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/327.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-12702"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-016233"
},
{
"db": "CNNVD",
"id": "CNNVD-202102-1578"
},
{
"db": "NVD",
"id": "CVE-2020-12702"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2020-12702"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-016233"
},
{
"db": "CNNVD",
"id": "CNNVD-202102-1578"
},
{
"db": "NVD",
"id": "CVE-2020-12702"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-02-24T00:00:00",
"db": "VULMON",
"id": "CVE-2020-12702"
},
{
"date": "2021-11-16T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-016233"
},
{
"date": "2021-02-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202102-1578"
},
{
"date": "2021-02-24T14:15:13.150000",
"db": "NVD",
"id": "CVE-2020-12702"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-07-21T00:00:00",
"db": "VULMON",
"id": "CVE-2020-12702"
},
{
"date": "2021-11-16T07:10:00",
"db": "JVNDB",
"id": "JVNDB-2020-016233"
},
{
"date": "2021-03-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202102-1578"
},
{
"date": "2024-11-21T05:00:06.477000",
"db": "NVD",
"id": "CVE-2020-12702"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "eWeLink\u00a0 Vulnerability in using cryptographic algorithms in mobile applications",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-016233"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "encryption problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202102-1578"
}
],
"trust": 0.6
}
}
VAR-202312-2498
Vulnerability from variot - Updated: 2024-10-10 23:21Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.This issue affects eWeLink before 5.2.0. CoolKit Technology multiple of OS for eWeLink Exists in unspecified vulnerabilities.Information may be obtained and information may be tampered with
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202312-2498",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "ewelink",
"scope": "lt",
"trust": 1.1,
"vendor": "coolkit",
"version": "5.2.0"
},
{
"model": "ewelink",
"scope": "eq",
"trust": 0.8,
"vendor": "coolkit",
"version": null
},
{
"model": "ewelink",
"scope": null,
"trust": 0.8,
"vendor": "coolkit",
"version": null
},
{
"model": "ewelink",
"scope": "eq",
"trust": 0.8,
"vendor": "coolkit",
"version": "5.2.0"
}
],
"sources": [
{
"db": "OTHER",
"id": "CVE-2023-6998"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-024821"
},
{
"db": "NVD",
"id": "CVE-2023-6998"
}
]
},
"cve": "CVE-2023-6998",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.5,
"id": "CVE-2023-6998",
"impactScore": 5.2,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 7.7,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2023-6998",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2023-6998",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "cvd@cert.pl",
"id": "CVE-2023-6998",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2023-6998",
"trust": 0.8,
"value": "High"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-024821"
},
{
"db": "NVD",
"id": "CVE-2023-6998"
},
{
"db": "NVD",
"id": "CVE-2023-6998"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.This issue affects eWeLink before 5.2.0. CoolKit Technology multiple of OS for eWeLink Exists in unspecified vulnerabilities.Information may be obtained and information may be tampered with",
"sources": [
{
"db": "NVD",
"id": "CVE-2023-6998"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-024821"
},
{
"db": "VULMON",
"id": "CVE-2023-6998"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2023-6998",
"trust": 2.8
},
{
"db": "JVNDB",
"id": "JVNDB-2023-024821",
"trust": 0.8
},
{
"db": "OTHER",
"id": "CVE-2023-6998",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2023-6998",
"trust": 0.1
}
],
"sources": [
{
"db": "OTHER",
"id": "CVE-2023-6998"
},
{
"db": "VULMON",
"id": "CVE-2023-6998"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-024821"
},
{
"db": "NVD",
"id": "CVE-2023-6998"
}
]
},
"id": "VAR-202312-2498",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "OTHER",
"id": "CVE-2023-6998"
}
],
"trust": 0.35
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": "application",
"sub_category": "mobile_app",
"trust": 0.1
}
],
"sources": [
{
"db": "OTHER",
"id": "CVE-2023-6998"
}
]
},
"last_update_date": "2024-10-10T23:21:47.893000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-noinfo",
"trust": 1.0
},
{
"problemtype": "CWE-305",
"trust": 1.0
},
{
"problemtype": "Lack of information (CWE-noinfo) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-024821"
},
{
"db": "NVD",
"id": "CVE-2023-6998"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "https://cert.pl/en/posts/2023/12/cve-2023-6998/"
},
{
"trust": 1.9,
"url": "https://cert.pl/posts/2023/12/cve-2023-6998/"
},
{
"trust": 1.9,
"url": "https://ewelink.cc/app/"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-6998"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2023-6998"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-024821"
},
{
"db": "NVD",
"id": "CVE-2023-6998"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "OTHER",
"id": "CVE-2023-6998"
},
{
"db": "VULMON",
"id": "CVE-2023-6998"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-024821"
},
{
"db": "NVD",
"id": "CVE-2023-6998"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-12-30T00:00:00",
"db": "VULMON",
"id": "CVE-2023-6998"
},
{
"date": "2024-02-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2023-024821"
},
{
"date": "2023-12-30T19:15:08.303000",
"db": "NVD",
"id": "CVE-2023-6998"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2024-01-01T00:00:00",
"db": "VULMON",
"id": "CVE-2023-6998"
},
{
"date": "2024-02-01T06:10:00",
"db": "JVNDB",
"id": "JVNDB-2023-024821"
},
{
"date": "2024-10-10T16:15:07.850000",
"db": "NVD",
"id": "CVE-2023-6998"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "CoolKit\u00a0Technology\u00a0 multiple of \u00a0OS\u00a0 for \u00a0eWeLink\u00a0 Vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-024821"
}
],
"trust": 0.8
}
}
CVE-2024-7205 (GCVE-0-2024-7205)
Vulnerability from nvd – Published: 2024-07-31 05:51 – Updated: 2024-07-31 14:56 Exclusively Hosted Service- CWE-201 - Insertion of Sensitive Information Into Sent Data
| Vendor | Product | Version | |
|---|---|---|---|
| CoolKit | eWeLink Cloud Service |
Affected:
2.0.0 , < 2.19.0
(custom)
|
|
| coolkit | ewelink |
Affected:
0 , < 2.19.0
(custom)
cpe:2.3:a:coolkit:ewelink:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:coolkit:ewelink:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ewelink",
"vendor": "coolkit",
"versions": [
{
"lessThan": "2.19.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7205",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-31T14:43:03.470070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T14:56:35.429Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"homepage"
],
"platforms": [
"Linux"
],
"product": "eWeLink Cloud Service",
"vendor": "CoolKit",
"versions": [
{
"lessThan": "2.19.0",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd."
},
{
"lang": "en",
"type": "reporter",
"value": "Jerin Sunny, Security Researcher, FEV India Pvt Ltd."
},
{
"lang": "en",
"type": "reporter",
"value": "Shakir Zari,Security Researcher,FEV India Pvt Ltd."
}
],
"datePublic": "2024-07-30T11:20:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u0026nbsp;When the device is shared,\u0026nbsp;the homepage module are before 2.19.0 \u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ein eWeLink Cloud Service\u0026nbsp;\u003c/span\u003eallows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information."
}
],
"value": "When the device is shared,\u00a0the homepage module are before 2.19.0 \u00a0in eWeLink Cloud Service\u00a0allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information."
}
],
"impacts": [
{
"capecId": "CAPEC-383",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-383 Harvesting Information via API Event Monitoring"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:N/R:U/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T05:51:03.427Z",
"orgId": "68870bb1-d075-4169-957d-e580b18692b9",
"shortName": "CoolKit"
},
"references": [
{
"url": "https://ewelink.cc/security-advisory-240730/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The cloud has fixed the issue in the new version, and users do not need to do anything.\u003cbr\u003e"
}
],
"value": "The cloud has fixed the issue in the new version, and users do not need to do anything."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"exclusively-hosted-service"
],
"title": "sharing unnecessary device-sensitive information allows Secondary user able to take over devices as primary user",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "68870bb1-d075-4169-957d-e580b18692b9",
"assignerShortName": "CoolKit",
"cveId": "CVE-2024-7205",
"datePublished": "2024-07-31T05:51:03.427Z",
"dateReserved": "2024-07-29T11:11:17.421Z",
"dateUpdated": "2024-07-31T14:56:35.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3130 (GCVE-0-2024-3130)
Vulnerability from nvd – Published: 2024-04-01 09:13 – Updated: 2025-08-27 21:23- CWE-798 - Use of Hard-coded Credentials
| Vendor | Product | Version | |
|---|---|---|---|
| CoolKIt | eWeLink APP |
Affected:
0 , < 5.4.x
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-3130",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-02T14:26:29.391805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T21:23:01.088Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:32:42.974Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://ewelink.cc/security-advisories-and-notices/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android",
"iOS"
],
"product": "eWeLink APP",
"vendor": "CoolKIt",
"versions": [
{
"lessThan": "5.4.x",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd."
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Vaishali Nagori, Senior Security Researcher, FEV India Pvt Ltd."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHard-coded Credentials\u003c/span\u003e\u0026nbsp;in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to\u0026nbsp;unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Hard-coded Credentials\u00a0in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to\u00a0unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-01T09:15:47.799Z",
"orgId": "68870bb1-d075-4169-957d-e580b18692b9",
"shortName": "CoolKit"
},
"references": [
{
"url": "https://ewelink.cc/security-advisories-and-notices/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate to the latest version of the app.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Update to the latest version of the app.\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": " Insecure Data Storage leading to sensitive Information disclosure.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "68870bb1-d075-4169-957d-e580b18692b9",
"assignerShortName": "CoolKit",
"cveId": "CVE-2024-3130",
"datePublished": "2024-04-01T09:13:53.082Z",
"dateReserved": "2024-04-01T09:11:45.225Z",
"dateUpdated": "2025-08-27T21:23:01.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6998 (GCVE-0-2023-6998)
Vulnerability from nvd – Published: 2023-12-30 18:32 – Updated: 2024-10-10 15:36- CWE-305 - Authentication Bypass by Primary Weakness
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2023/12/CVE-2023-6998/ | third-party-advisory |
| https://cert.pl/posts/2023/12/CVE-2023-6998/ | third-party-advisory |
| https://ewelink.cc/app/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| CoolKit Technology | eWeLink - Smart Home |
Affected:
0 , < 5.2.0
(custom)
|
|
| CoolKit Technology | eWeLink-Smart Home |
Affected:
0 , < 5.2.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:07.670Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/en/posts/2023/12/CVE-2023-6998/"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/posts/2023/12/CVE-2023-6998/"
},
{
"tags": [
"product",
"x_transferred"
],
"url": "https://ewelink.cc/app/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://play.google.com/store/apps/details?id=com.coolkit",
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "eWeLink - Smart Home",
"vendor": "CoolKit Technology",
"versions": [
{
"lessThan": "5.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158",
"defaultStatus": "unaffected",
"platforms": [
"iOS"
],
"product": "eWeLink-Smart Home",
"vendor": "CoolKit Technology",
"versions": [
{
"lessThan": "5.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jan Adamski (NASK)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.\u003cp\u003eThis issue affects eWeLink before 5.2.0.\u003c/p\u003e"
}
],
"value": "Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.This issue affects eWeLink before 5.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T15:36:12.108Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2023/12/CVE-2023-6998/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2023/12/CVE-2023-6998/"
},
{
"tags": [
"product"
],
"url": "https://ewelink.cc/app/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Lockscreen bypass in eWeLink App",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2023-6998",
"datePublished": "2023-12-30T18:32:07.452Z",
"dateReserved": "2023-12-20T14:04:20.543Z",
"dateUpdated": "2024-10-10T15:36:12.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27941 (GCVE-0-2021-27941)
Vulnerability from nvd – Published: 2021-05-06 20:31 – Updated: 2024-08-03 21:33- n/a
| URL | Tags |
|---|---|
| https://play.google.com/store/apps/details?id=com… | x_refsource_MISC |
| https://apps.apple.com/us/app/ewelink-smart-home/… | x_refsource_MISC |
| https://github.com/salgio/eWeLink-QR-Code | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:16.407Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/salgio/eWeLink-QR-Code"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Unconstrained Web access to the device\u0027s private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-06T20:31:53.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salgio/eWeLink-QR-Code"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-27941",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unconstrained Web access to the device\u0027s private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US",
"refsource": "MISC",
"url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
},
{
"name": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158",
"refsource": "MISC",
"url": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158"
},
{
"name": "https://github.com/salgio/eWeLink-QR-Code",
"refsource": "MISC",
"url": "https://github.com/salgio/eWeLink-QR-Code"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-27941",
"datePublished": "2021-05-06T20:31:53.000Z",
"dateReserved": "2021-03-03T00:00:00.000Z",
"dateUpdated": "2024-08-03T21:33:16.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12702 (GCVE-0-2020-12702)
Vulnerability from nvd – Published: 2021-02-24 13:58 – Updated: 2024-08-04 12:04- n/a
| URL | Tags |
|---|---|
| https://play.google.com/store/apps/details?id=com… | x_refsource_MISC |
| https://dl.acm.org/doi/abs/10.1145/3411498.3419965 | x_refsource_MISC |
| https://github.com/salgio/ESPTouchCatcher | x_refsource_MISC |
| https://www.youtube.com/watch?v=DghYH7WY6iE&featu… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/salgio/ESPTouchCatcher"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.youtube.com/watch?v=DghYH7WY6iE\u0026feature=youtu.be"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-24T13:58:28.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salgio/ESPTouchCatcher"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.youtube.com/watch?v=DghYH7WY6iE\u0026feature=youtu.be"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12702",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US",
"refsource": "MISC",
"url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
},
{
"name": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965",
"refsource": "MISC",
"url": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965"
},
{
"name": "https://github.com/salgio/ESPTouchCatcher",
"refsource": "MISC",
"url": "https://github.com/salgio/ESPTouchCatcher"
},
{
"name": "https://www.youtube.com/watch?v=DghYH7WY6iE\u0026feature=youtu.be",
"refsource": "MISC",
"url": "https://www.youtube.com/watch?v=DghYH7WY6iE\u0026feature=youtu.be"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12702",
"datePublished": "2021-02-24T13:58:28.000Z",
"dateReserved": "2020-05-07T00:00:00.000Z",
"dateUpdated": "2024-08-04T12:04:22.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7205 (GCVE-0-2024-7205)
Vulnerability from cvelistv5 – Published: 2024-07-31 05:51 – Updated: 2024-07-31 14:56 Exclusively Hosted Service- CWE-201 - Insertion of Sensitive Information Into Sent Data
| Vendor | Product | Version | |
|---|---|---|---|
| CoolKit | eWeLink Cloud Service |
Affected:
2.0.0 , < 2.19.0
(custom)
|
|
| coolkit | ewelink |
Affected:
0 , < 2.19.0
(custom)
cpe:2.3:a:coolkit:ewelink:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:coolkit:ewelink:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ewelink",
"vendor": "coolkit",
"versions": [
{
"lessThan": "2.19.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7205",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-31T14:43:03.470070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T14:56:35.429Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"homepage"
],
"platforms": [
"Linux"
],
"product": "eWeLink Cloud Service",
"vendor": "CoolKit",
"versions": [
{
"lessThan": "2.19.0",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd."
},
{
"lang": "en",
"type": "reporter",
"value": "Jerin Sunny, Security Researcher, FEV India Pvt Ltd."
},
{
"lang": "en",
"type": "reporter",
"value": "Shakir Zari,Security Researcher,FEV India Pvt Ltd."
}
],
"datePublic": "2024-07-30T11:20:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u0026nbsp;When the device is shared,\u0026nbsp;the homepage module are before 2.19.0 \u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ein eWeLink Cloud Service\u0026nbsp;\u003c/span\u003eallows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information."
}
],
"value": "When the device is shared,\u00a0the homepage module are before 2.19.0 \u00a0in eWeLink Cloud Service\u00a0allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information."
}
],
"impacts": [
{
"capecId": "CAPEC-383",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-383 Harvesting Information via API Event Monitoring"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:N/R:U/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T05:51:03.427Z",
"orgId": "68870bb1-d075-4169-957d-e580b18692b9",
"shortName": "CoolKit"
},
"references": [
{
"url": "https://ewelink.cc/security-advisory-240730/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The cloud has fixed the issue in the new version, and users do not need to do anything.\u003cbr\u003e"
}
],
"value": "The cloud has fixed the issue in the new version, and users do not need to do anything."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"exclusively-hosted-service"
],
"title": "sharing unnecessary device-sensitive information allows Secondary user able to take over devices as primary user",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "68870bb1-d075-4169-957d-e580b18692b9",
"assignerShortName": "CoolKit",
"cveId": "CVE-2024-7205",
"datePublished": "2024-07-31T05:51:03.427Z",
"dateReserved": "2024-07-29T11:11:17.421Z",
"dateUpdated": "2024-07-31T14:56:35.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3130 (GCVE-0-2024-3130)
Vulnerability from cvelistv5 – Published: 2024-04-01 09:13 – Updated: 2025-08-27 21:23- CWE-798 - Use of Hard-coded Credentials
| Vendor | Product | Version | |
|---|---|---|---|
| CoolKIt | eWeLink APP |
Affected:
0 , < 5.4.x
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-3130",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-02T14:26:29.391805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T21:23:01.088Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:32:42.974Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://ewelink.cc/security-advisories-and-notices/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android",
"iOS"
],
"product": "eWeLink APP",
"vendor": "CoolKIt",
"versions": [
{
"lessThan": "5.4.x",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd."
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Vaishali Nagori, Senior Security Researcher, FEV India Pvt Ltd."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHard-coded Credentials\u003c/span\u003e\u0026nbsp;in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to\u0026nbsp;unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Hard-coded Credentials\u00a0in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to\u00a0unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-01T09:15:47.799Z",
"orgId": "68870bb1-d075-4169-957d-e580b18692b9",
"shortName": "CoolKit"
},
"references": [
{
"url": "https://ewelink.cc/security-advisories-and-notices/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate to the latest version of the app.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Update to the latest version of the app.\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": " Insecure Data Storage leading to sensitive Information disclosure.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "68870bb1-d075-4169-957d-e580b18692b9",
"assignerShortName": "CoolKit",
"cveId": "CVE-2024-3130",
"datePublished": "2024-04-01T09:13:53.082Z",
"dateReserved": "2024-04-01T09:11:45.225Z",
"dateUpdated": "2025-08-27T21:23:01.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6998 (GCVE-0-2023-6998)
Vulnerability from cvelistv5 – Published: 2023-12-30 18:32 – Updated: 2024-10-10 15:36- CWE-305 - Authentication Bypass by Primary Weakness
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2023/12/CVE-2023-6998/ | third-party-advisory |
| https://cert.pl/posts/2023/12/CVE-2023-6998/ | third-party-advisory |
| https://ewelink.cc/app/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| CoolKit Technology | eWeLink - Smart Home |
Affected:
0 , < 5.2.0
(custom)
|
|
| CoolKit Technology | eWeLink-Smart Home |
Affected:
0 , < 5.2.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:07.670Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/en/posts/2023/12/CVE-2023-6998/"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/posts/2023/12/CVE-2023-6998/"
},
{
"tags": [
"product",
"x_transferred"
],
"url": "https://ewelink.cc/app/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://play.google.com/store/apps/details?id=com.coolkit",
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "eWeLink - Smart Home",
"vendor": "CoolKit Technology",
"versions": [
{
"lessThan": "5.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158",
"defaultStatus": "unaffected",
"platforms": [
"iOS"
],
"product": "eWeLink-Smart Home",
"vendor": "CoolKit Technology",
"versions": [
{
"lessThan": "5.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jan Adamski (NASK)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.\u003cp\u003eThis issue affects eWeLink before 5.2.0.\u003c/p\u003e"
}
],
"value": "Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.This issue affects eWeLink before 5.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T15:36:12.108Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2023/12/CVE-2023-6998/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2023/12/CVE-2023-6998/"
},
{
"tags": [
"product"
],
"url": "https://ewelink.cc/app/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Lockscreen bypass in eWeLink App",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2023-6998",
"datePublished": "2023-12-30T18:32:07.452Z",
"dateReserved": "2023-12-20T14:04:20.543Z",
"dateUpdated": "2024-10-10T15:36:12.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27941 (GCVE-0-2021-27941)
Vulnerability from cvelistv5 – Published: 2021-05-06 20:31 – Updated: 2024-08-03 21:33- n/a
| URL | Tags |
|---|---|
| https://play.google.com/store/apps/details?id=com… | x_refsource_MISC |
| https://apps.apple.com/us/app/ewelink-smart-home/… | x_refsource_MISC |
| https://github.com/salgio/eWeLink-QR-Code | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:16.407Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/salgio/eWeLink-QR-Code"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Unconstrained Web access to the device\u0027s private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-06T20:31:53.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salgio/eWeLink-QR-Code"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-27941",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unconstrained Web access to the device\u0027s private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US",
"refsource": "MISC",
"url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
},
{
"name": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158",
"refsource": "MISC",
"url": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158"
},
{
"name": "https://github.com/salgio/eWeLink-QR-Code",
"refsource": "MISC",
"url": "https://github.com/salgio/eWeLink-QR-Code"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-27941",
"datePublished": "2021-05-06T20:31:53.000Z",
"dateReserved": "2021-03-03T00:00:00.000Z",
"dateUpdated": "2024-08-03T21:33:16.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12702 (GCVE-0-2020-12702)
Vulnerability from cvelistv5 – Published: 2021-02-24 13:58 – Updated: 2024-08-04 12:04- n/a
| URL | Tags |
|---|---|
| https://play.google.com/store/apps/details?id=com… | x_refsource_MISC |
| https://dl.acm.org/doi/abs/10.1145/3411498.3419965 | x_refsource_MISC |
| https://github.com/salgio/ESPTouchCatcher | x_refsource_MISC |
| https://www.youtube.com/watch?v=DghYH7WY6iE&featu… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/salgio/ESPTouchCatcher"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.youtube.com/watch?v=DghYH7WY6iE\u0026feature=youtu.be"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-24T13:58:28.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salgio/ESPTouchCatcher"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.youtube.com/watch?v=DghYH7WY6iE\u0026feature=youtu.be"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12702",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US",
"refsource": "MISC",
"url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
},
{
"name": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965",
"refsource": "MISC",
"url": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965"
},
{
"name": "https://github.com/salgio/ESPTouchCatcher",
"refsource": "MISC",
"url": "https://github.com/salgio/ESPTouchCatcher"
},
{
"name": "https://www.youtube.com/watch?v=DghYH7WY6iE\u0026feature=youtu.be",
"refsource": "MISC",
"url": "https://www.youtube.com/watch?v=DghYH7WY6iE\u0026feature=youtu.be"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12702",
"datePublished": "2021-02-24T13:58:28.000Z",
"dateReserved": "2020-05-07T00:00:00.000Z",
"dateUpdated": "2024-08-04T12:04:22.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}