Search

Find a vulnerability

Search criteria

    13 vulnerabilities by coolkit

    VAR-202105-0825

    Vulnerability from variot - Updated: 2025-01-30 22:31

    Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process. eWeLink Mobile application Contains an improper authentication vulnerability.Information may be obtained

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202105-0825",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "ewelink",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "coolkit",
            "version": "4.9.1"
          },
          {
            "model": "ewelink",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "coolkit",
            "version": "4.9.2"
          },
          {
            "model": "ewelink",
            "scope": "lte",
            "trust": 0.8,
            "vendor": "coolkit",
            "version": "4.9.2  until  (android)"
          },
          {
            "model": "ewelink",
            "scope": "lte",
            "trust": 0.8,
            "vendor": "coolkit",
            "version": "4.9.1  until  (ios)"
          },
          {
            "model": "ewelink",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "coolkit",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-006558"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-27941"
          }
        ]
      },
      "cve": "CVE-2021-27941",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "LOCAL",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 2.1,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 3.9,
                "id": "CVE-2021-27941",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "LOW",
                "trust": 1.9,
                "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 0.9,
                "id": "CVE-2021-27941",
                "impactScore": 3.6,
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Physical",
                "author": "NVD",
                "availabilityImpact": "None",
                "baseScore": 4.6,
                "baseSeverity": "Medium",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "CVE-2021-27941",
                "impactScore": null,
                "integrityImpact": "None",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2021-27941",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2021-27941",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202105-291",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "VULMON",
                "id": "CVE-2021-27941",
                "trust": 0.1,
                "value": "LOW"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2021-27941"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-006558"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202105-291"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-27941"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Unconstrained Web access to the device\u0027s private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process. eWeLink Mobile application Contains an improper authentication vulnerability.Information may be obtained",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2021-27941"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-006558"
          },
          {
            "db": "VULMON",
            "id": "CVE-2021-27941"
          }
        ],
        "trust": 1.71
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2021-27941",
            "trust": 3.4
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-006558",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202105-291",
            "trust": 0.6
          },
          {
            "db": "OTHER",
            "id": "NONE",
            "trust": 0.1
          },
          {
            "db": "VULMON",
            "id": "CVE-2021-27941",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "OTHER",
            "id": null
          },
          {
            "db": "VULMON",
            "id": "CVE-2021-27941"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-006558"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202105-291"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-27941"
          }
        ]
      },
      "id": "VAR-202105-0825",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "OTHER",
            "id": null
          }
        ],
        "trust": 0.35
      },
      "iot_taxonomy": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "category": [
              "vehicle device"
            ],
            "sub_category": "mobile device",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "OTHER",
            "id": null
          }
        ]
      },
      "last_update_date": "2025-01-30T22:31:50.164000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "eWeLink-Smart\u00a0Home Google\u00a0Play",
            "trust": 0.8,
            "url": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158"
          },
          {
            "title": "eWeLink-QR-Code",
            "trust": 0.1,
            "url": "https://github.com/salgio/eWeLink-QR-Code "
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2021-27941"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-006558"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-522",
            "trust": 1.0
          },
          {
            "problemtype": "Bad authentication (CWE-863) [NVD Evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-006558"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-27941"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.6,
            "url": "https://github.com/salgio/ewelink-qr-code"
          },
          {
            "trust": 1.7,
            "url": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158"
          },
          {
            "trust": 1.7,
            "url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_us"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-27941"
          },
          {
            "trust": 0.1,
            "url": "https://ieeexplore.ieee.org/abstract/document/10769424"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/863.html"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          }
        ],
        "sources": [
          {
            "db": "OTHER",
            "id": null
          },
          {
            "db": "VULMON",
            "id": "CVE-2021-27941"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-006558"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202105-291"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-27941"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "OTHER",
            "id": null
          },
          {
            "db": "VULMON",
            "id": "CVE-2021-27941"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-006558"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202105-291"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-27941"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2021-05-06T00:00:00",
            "db": "VULMON",
            "id": "CVE-2021-27941"
          },
          {
            "date": "2022-01-13T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2021-006558"
          },
          {
            "date": "2021-05-06T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202105-291"
          },
          {
            "date": "2021-05-06T21:15:07.597000",
            "db": "NVD",
            "id": "CVE-2021-27941"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2021-05-14T00:00:00",
            "db": "VULMON",
            "id": "CVE-2021-27941"
          },
          {
            "date": "2022-01-13T03:29:00",
            "db": "JVNDB",
            "id": "JVNDB-2021-006558"
          },
          {
            "date": "2022-07-14T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202105-291"
          },
          {
            "date": "2022-07-12T17:42:04.277000",
            "db": "NVD",
            "id": "CVE-2021-27941"
          }
        ]
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "eWeLink\u00a0 Mobile application \u00a0 Authentication Vulnerability in Microsoft",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-006558"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "other",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202105-291"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202102-0089

    Vulnerability from variot - Updated: 2024-11-23 22:37

    Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process. eWeLink Mobile applications contain vulnerabilities in the use of cryptographic algorithms.Information may be obtained

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202102-0089",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "ewelink",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "coolkit",
            "version": "4.9.2"
          },
          {
            "model": "ewelink",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "coolkit",
            "version": "4.9.1"
          },
          {
            "model": "ewelink",
            "scope": "lte",
            "trust": 0.8,
            "vendor": "coolkit",
            "version": "4.9.1  and earlier  (ios)"
          },
          {
            "model": "ewelink",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "coolkit",
            "version": null
          },
          {
            "model": "ewelink",
            "scope": "lte",
            "trust": 0.8,
            "vendor": "coolkit",
            "version": "4.9.2  and earlier  (android)"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-016233"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-12702"
          }
        ]
      },
      "cve": "CVE-2020-12702",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "LOCAL",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 2.1,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 3.9,
                "id": "CVE-2020-12702",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "LOW",
                "trust": 1.9,
                "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 0.9,
                "id": "CVE-2020-12702",
                "impactScore": 3.6,
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Physical",
                "author": "NVD",
                "availabilityImpact": "None",
                "baseScore": 4.6,
                "baseSeverity": "Medium",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "CVE-2020-12702",
                "impactScore": null,
                "integrityImpact": "None",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2020-12702",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2020-12702",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202102-1578",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "VULMON",
                "id": "CVE-2020-12702",
                "trust": 0.1,
                "value": "LOW"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2020-12702"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-016233"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202102-1578"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-12702"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process. eWeLink Mobile applications contain vulnerabilities in the use of cryptographic algorithms.Information may be obtained",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2020-12702"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-016233"
          },
          {
            "db": "VULMON",
            "id": "CVE-2020-12702"
          }
        ],
        "trust": 1.71
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2020-12702",
            "trust": 2.5
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-016233",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202102-1578",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2020-12702",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2020-12702"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-016233"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202102-1578"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-12702"
          }
        ]
      },
      "id": "VAR-202102-0089",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.25
      },
      "last_update_date": "2024-11-23T22:37:05.531000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "eWeLink\u00a0-\u00a0Smart\u00a0Home",
            "trust": 0.8,
            "url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
          },
          {
            "title": "eWeLink mobile application Fixes for encryption problem vulnerabilities",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=143434"
          },
          {
            "title": "ESPTouchCatcher",
            "trust": 0.1,
            "url": "https://github.com/salgio/ESPTouchCatcher "
          },
          {
            "title": "PoC",
            "trust": 0.1,
            "url": "https://github.com/Jonathan-Elias/PoC "
          },
          {
            "title": "PoC-in-GitHub",
            "trust": 0.1,
            "url": "https://github.com/developer3000S/PoC-in-GitHub "
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2020-12702"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-016233"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202102-1578"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-327",
            "trust": 1.0
          },
          {
            "problemtype": "Use of incomplete or dangerous cryptographic algorithms (CWE-327) [NVD Evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-016233"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-12702"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.6,
            "url": "https://github.com/salgio/esptouchcatcher"
          },
          {
            "trust": 1.7,
            "url": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965"
          },
          {
            "trust": 1.7,
            "url": "https://www.youtube.com/watch?v=dghyh7wy6ie\u0026feature=youtu.be"
          },
          {
            "trust": 1.7,
            "url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_us"
          },
          {
            "trust": 1.4,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2020-12702"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/327.html"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2020-12702"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-016233"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202102-1578"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-12702"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2020-12702"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-016233"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202102-1578"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-12702"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2021-02-24T00:00:00",
            "db": "VULMON",
            "id": "CVE-2020-12702"
          },
          {
            "date": "2021-11-16T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2020-016233"
          },
          {
            "date": "2021-02-24T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202102-1578"
          },
          {
            "date": "2021-02-24T14:15:13.150000",
            "db": "NVD",
            "id": "CVE-2020-12702"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2021-07-21T00:00:00",
            "db": "VULMON",
            "id": "CVE-2020-12702"
          },
          {
            "date": "2021-11-16T07:10:00",
            "db": "JVNDB",
            "id": "JVNDB-2020-016233"
          },
          {
            "date": "2021-03-04T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202102-1578"
          },
          {
            "date": "2024-11-21T05:00:06.477000",
            "db": "NVD",
            "id": "CVE-2020-12702"
          }
        ]
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "eWeLink\u00a0 Vulnerability in using cryptographic algorithms in mobile applications",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-016233"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "encryption problem",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202102-1578"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202312-2498

    Vulnerability from variot - Updated: 2024-10-10 23:21

    Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.This issue affects eWeLink before 5.2.0. CoolKit Technology multiple of OS for eWeLink Exists in unspecified vulnerabilities.Information may be obtained and information may be tampered with

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202312-2498",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "ewelink",
            "scope": "lt",
            "trust": 1.1,
            "vendor": "coolkit",
            "version": "5.2.0"
          },
          {
            "model": "ewelink",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "coolkit",
            "version": null
          },
          {
            "model": "ewelink",
            "scope": null,
            "trust": 0.8,
            "vendor": "coolkit",
            "version": null
          },
          {
            "model": "ewelink",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "coolkit",
            "version": "5.2.0"
          }
        ],
        "sources": [
          {
            "db": "OTHER",
            "id": "CVE-2023-6998"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-024821"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-6998"
          }
        ]
      },
      "cve": "CVE-2023-6998",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 2.5,
                "id": "CVE-2023-6998",
                "impactScore": 5.2,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Local",
                "author": "NVD",
                "availabilityImpact": "None",
                "baseScore": 7.7,
                "baseSeverity": "High",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "CVE-2023-6998",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2023-6998",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "cvd@cert.pl",
                "id": "CVE-2023-6998",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "NVD",
                "id": "CVE-2023-6998",
                "trust": 0.8,
                "value": "High"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-024821"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-6998"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-6998"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.This issue affects eWeLink before 5.2.0. CoolKit Technology multiple of OS for eWeLink Exists in unspecified vulnerabilities.Information may be obtained and information may be tampered with",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-6998"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-024821"
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-6998"
          }
        ],
        "trust": 1.71
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2023-6998",
            "trust": 2.8
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-024821",
            "trust": 0.8
          },
          {
            "db": "OTHER",
            "id": "CVE-2023-6998",
            "trust": 0.1
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-6998",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "OTHER",
            "id": "CVE-2023-6998"
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-6998"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-024821"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-6998"
          }
        ]
      },
      "id": "VAR-202312-2498",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "OTHER",
            "id": "CVE-2023-6998"
          }
        ],
        "trust": 0.35
      },
      "iot_taxonomy": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "category": "application",
            "sub_category": "mobile_app",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "OTHER",
            "id": "CVE-2023-6998"
          }
        ]
      },
      "last_update_date": "2024-10-10T23:21:47.893000Z",
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "NVD-CWE-noinfo",
            "trust": 1.0
          },
          {
            "problemtype": "CWE-305",
            "trust": 1.0
          },
          {
            "problemtype": "Lack of information (CWE-noinfo) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-024821"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-6998"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.9,
            "url": "https://cert.pl/en/posts/2023/12/cve-2023-6998/"
          },
          {
            "trust": 1.9,
            "url": "https://cert.pl/posts/2023/12/cve-2023-6998/"
          },
          {
            "trust": 1.9,
            "url": "https://ewelink.cc/app/"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2023-6998"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-6998"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-024821"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-6998"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "OTHER",
            "id": "CVE-2023-6998"
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-6998"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-024821"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-6998"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-12-30T00:00:00",
            "db": "VULMON",
            "id": "CVE-2023-6998"
          },
          {
            "date": "2024-02-01T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2023-024821"
          },
          {
            "date": "2023-12-30T19:15:08.303000",
            "db": "NVD",
            "id": "CVE-2023-6998"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2024-01-01T00:00:00",
            "db": "VULMON",
            "id": "CVE-2023-6998"
          },
          {
            "date": "2024-02-01T06:10:00",
            "db": "JVNDB",
            "id": "JVNDB-2023-024821"
          },
          {
            "date": "2024-10-10T16:15:07.850000",
            "db": "NVD",
            "id": "CVE-2023-6998"
          }
        ]
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "CoolKit\u00a0Technology\u00a0 multiple of \u00a0OS\u00a0 for \u00a0eWeLink\u00a0 Vulnerability in",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-024821"
          }
        ],
        "trust": 0.8
      }
    }

    CVE-2024-7205 (GCVE-0-2024-7205)

    Vulnerability from nvd – Published: 2024-07-31 05:51 – Updated: 2024-07-31 14:56 Exclusively Hosted Service
    VLAI
    Title
    sharing unnecessary device-sensitive information allows Secondary user able to take over devices as primary user
    Summary
    When the device is shared, the homepage module are before 2.19.0  in eWeLink Cloud Service allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-201 - Insertion of Sensitive Information Into Sent Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    CoolKit eWeLink Cloud Service Affected: 2.0.0 , < 2.19.0 (custom)
    Create a notification for this product.
    coolkit ewelink Affected: 0 , < 2.19.0 (custom)
        cpe:2.3:a:coolkit:ewelink:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-07-30 11:20
    Credits
    Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd. Jerin Sunny, Security Researcher, FEV India Pvt Ltd. Shakir Zari,Security Researcher,FEV India Pvt Ltd.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:coolkit:ewelink:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ewelink",
                "vendor": "coolkit",
                "versions": [
                  {
                    "lessThan": "2.19.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7205",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-31T14:43:03.470070Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-31T14:56:35.429Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "homepage"
              ],
              "platforms": [
                "Linux"
              ],
              "product": "eWeLink Cloud Service",
              "vendor": "CoolKit",
              "versions": [
                {
                  "lessThan": "2.19.0",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd."
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Jerin Sunny, Security Researcher, FEV India Pvt Ltd."
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Shakir Zari,Security Researcher,FEV India Pvt Ltd."
            }
          ],
          "datePublic": "2024-07-30T11:20:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u0026nbsp;When the device is shared,\u0026nbsp;the homepage module are before 2.19.0 \u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ein eWeLink Cloud Service\u0026nbsp;\u003c/span\u003eallows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information."
                }
              ],
              "value": "When the device is shared,\u00a0the homepage module are before 2.19.0 \u00a0in eWeLink Cloud Service\u00a0allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-383",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-383 Harvesting Information via API Event Monitoring"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NO",
                "Recovery": "USER",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "GREEN",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "valueDensity": "DIFFUSE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:N/R:U/V:D/RE:L/U:Green",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-31T05:51:03.427Z",
            "orgId": "68870bb1-d075-4169-957d-e580b18692b9",
            "shortName": "CoolKit"
          },
          "references": [
            {
              "url": "https://ewelink.cc/security-advisory-240730/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The cloud has fixed the issue in the new version, and users do not need to do anything.\u003cbr\u003e"
                }
              ],
              "value": "The cloud has fixed the issue in the new version, and users do not need to do anything."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "tags": [
            "exclusively-hosted-service"
          ],
          "title": "sharing unnecessary device-sensitive information allows Secondary user able to take over devices as primary user",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "68870bb1-d075-4169-957d-e580b18692b9",
        "assignerShortName": "CoolKit",
        "cveId": "CVE-2024-7205",
        "datePublished": "2024-07-31T05:51:03.427Z",
        "dateReserved": "2024-07-29T11:11:17.421Z",
        "dateUpdated": "2024-07-31T14:56:35.429Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-3130 (GCVE-0-2024-3130)

    Vulnerability from nvd – Published: 2024-04-01 09:13 – Updated: 2025-08-27 21:23
    VLAI
    Title
    Insecure Data Storage leading to sensitive Information disclosure.
    Summary
    Hard-coded Credentials in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    References
    Impacted products
    Vendor Product Version
    CoolKIt eWeLink APP Affected: 0 , < 5.4.x (custom)
    Create a notification for this product.
    Credits
    Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd. Vaishali Nagori, Senior Security Researcher, FEV India Pvt Ltd.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.7,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3130",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-02T14:26:29.391805Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-27T21:23:01.088Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T19:32:42.974Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://ewelink.cc/security-advisories-and-notices/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Android",
                "iOS"
              ],
              "product": "eWeLink APP",
              "vendor": "CoolKIt",
              "versions": [
                {
                  "lessThan": "5.4.x",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd."
            },
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Vaishali Nagori, Senior Security Researcher, FEV India Pvt Ltd."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHard-coded Credentials\u003c/span\u003e\u0026nbsp;in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to\u0026nbsp;unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Hard-coded Credentials\u00a0in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to\u00a0unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-01T09:15:47.799Z",
            "orgId": "68870bb1-d075-4169-957d-e580b18692b9",
            "shortName": "CoolKit"
          },
          "references": [
            {
              "url": "https://ewelink.cc/security-advisories-and-notices/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate to the latest version of the app.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "Update to the latest version of the app.\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": " Insecure Data Storage leading to sensitive Information disclosure.",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "68870bb1-d075-4169-957d-e580b18692b9",
        "assignerShortName": "CoolKit",
        "cveId": "CVE-2024-3130",
        "datePublished": "2024-04-01T09:13:53.082Z",
        "dateReserved": "2024-04-01T09:11:45.225Z",
        "dateUpdated": "2025-08-27T21:23:01.088Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-6998 (GCVE-0-2023-6998)

    Vulnerability from nvd – Published: 2023-12-30 18:32 – Updated: 2024-10-10 15:36
    VLAI
    Title
    Lockscreen bypass in eWeLink App
    Summary
    Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.This issue affects eWeLink before 5.2.0.
    CWE
    • CWE-305 - Authentication Bypass by Primary Weakness
    Assigner
    References
    Impacted products
    Credits
    Jan Adamski (NASK)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:50:07.670Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://cert.pl/en/posts/2023/12/CVE-2023-6998/"
              },
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://cert.pl/posts/2023/12/CVE-2023-6998/"
              },
              {
                "tags": [
                  "product",
                  "x_transferred"
                ],
                "url": "https://ewelink.cc/app/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://play.google.com/store/apps/details?id=com.coolkit",
              "defaultStatus": "unaffected",
              "platforms": [
                "Android"
              ],
              "product": "eWeLink - Smart Home",
              "vendor": "CoolKit Technology",
              "versions": [
                {
                  "lessThan": "5.2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "collectionURL": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158",
              "defaultStatus": "unaffected",
              "platforms": [
                "iOS"
              ],
              "product": "eWeLink-Smart Home",
              "vendor": "CoolKit Technology",
              "versions": [
                {
                  "lessThan": "5.2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Jan Adamski (NASK)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.\u003cp\u003eThis issue affects eWeLink before 5.2.0.\u003c/p\u003e"
                }
              ],
              "value": "Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.This issue affects eWeLink before 5.2.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-305",
                  "description": "CWE-305 Authentication Bypass by Primary Weakness",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-10T15:36:12.108Z",
            "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
            "shortName": "CERT-PL"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://cert.pl/en/posts/2023/12/CVE-2023-6998/"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://cert.pl/posts/2023/12/CVE-2023-6998/"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://ewelink.cc/app/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Lockscreen bypass in eWeLink App",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "assignerShortName": "CERT-PL",
        "cveId": "CVE-2023-6998",
        "datePublished": "2023-12-30T18:32:07.452Z",
        "dateReserved": "2023-12-20T14:04:20.543Z",
        "dateUpdated": "2024-10-10T15:36:12.108Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-27941 (GCVE-0-2021-27941)

    Vulnerability from nvd – Published: 2021-05-06 20:31 – Updated: 2024-08-03 21:33
    VLAI
    Summary
    Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:33:16.407Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/salgio/eWeLink-QR-Code"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Unconstrained Web access to the device\u0027s private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-05-06T20:31:53.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/salgio/eWeLink-QR-Code"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2021-27941",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Unconstrained Web access to the device\u0027s private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US",
                  "refsource": "MISC",
                  "url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
                },
                {
                  "name": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158",
                  "refsource": "MISC",
                  "url": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158"
                },
                {
                  "name": "https://github.com/salgio/eWeLink-QR-Code",
                  "refsource": "MISC",
                  "url": "https://github.com/salgio/eWeLink-QR-Code"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2021-27941",
        "datePublished": "2021-05-06T20:31:53.000Z",
        "dateReserved": "2021-03-03T00:00:00.000Z",
        "dateUpdated": "2024-08-03T21:33:16.407Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-12702 (GCVE-0-2020-12702)

    Vulnerability from nvd – Published: 2021-02-24 13:58 – Updated: 2024-08-04 12:04
    VLAI
    Summary
    Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T12:04:22.546Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/salgio/ESPTouchCatcher"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.youtube.com/watch?v=DghYH7WY6iE\u0026feature=youtu.be"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-24T13:58:28.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/salgio/ESPTouchCatcher"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.youtube.com/watch?v=DghYH7WY6iE\u0026feature=youtu.be"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-12702",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US",
                  "refsource": "MISC",
                  "url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
                },
                {
                  "name": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965",
                  "refsource": "MISC",
                  "url": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965"
                },
                {
                  "name": "https://github.com/salgio/ESPTouchCatcher",
                  "refsource": "MISC",
                  "url": "https://github.com/salgio/ESPTouchCatcher"
                },
                {
                  "name": "https://www.youtube.com/watch?v=DghYH7WY6iE\u0026feature=youtu.be",
                  "refsource": "MISC",
                  "url": "https://www.youtube.com/watch?v=DghYH7WY6iE\u0026feature=youtu.be"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-12702",
        "datePublished": "2021-02-24T13:58:28.000Z",
        "dateReserved": "2020-05-07T00:00:00.000Z",
        "dateUpdated": "2024-08-04T12:04:22.546Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7205 (GCVE-0-2024-7205)

    Vulnerability from cvelistv5 – Published: 2024-07-31 05:51 – Updated: 2024-07-31 14:56 Exclusively Hosted Service
    VLAI
    Title
    sharing unnecessary device-sensitive information allows Secondary user able to take over devices as primary user
    Summary
    When the device is shared, the homepage module are before 2.19.0  in eWeLink Cloud Service allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-201 - Insertion of Sensitive Information Into Sent Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    CoolKit eWeLink Cloud Service Affected: 2.0.0 , < 2.19.0 (custom)
    Create a notification for this product.
    coolkit ewelink Affected: 0 , < 2.19.0 (custom)
        cpe:2.3:a:coolkit:ewelink:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-07-30 11:20
    Credits
    Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd. Jerin Sunny, Security Researcher, FEV India Pvt Ltd. Shakir Zari,Security Researcher,FEV India Pvt Ltd.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:coolkit:ewelink:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ewelink",
                "vendor": "coolkit",
                "versions": [
                  {
                    "lessThan": "2.19.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7205",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-31T14:43:03.470070Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-31T14:56:35.429Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "homepage"
              ],
              "platforms": [
                "Linux"
              ],
              "product": "eWeLink Cloud Service",
              "vendor": "CoolKit",
              "versions": [
                {
                  "lessThan": "2.19.0",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd."
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Jerin Sunny, Security Researcher, FEV India Pvt Ltd."
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Shakir Zari,Security Researcher,FEV India Pvt Ltd."
            }
          ],
          "datePublic": "2024-07-30T11:20:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u0026nbsp;When the device is shared,\u0026nbsp;the homepage module are before 2.19.0 \u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ein eWeLink Cloud Service\u0026nbsp;\u003c/span\u003eallows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information."
                }
              ],
              "value": "When the device is shared,\u00a0the homepage module are before 2.19.0 \u00a0in eWeLink Cloud Service\u00a0allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-383",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-383 Harvesting Information via API Event Monitoring"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NO",
                "Recovery": "USER",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "GREEN",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "valueDensity": "DIFFUSE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:N/R:U/V:D/RE:L/U:Green",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-31T05:51:03.427Z",
            "orgId": "68870bb1-d075-4169-957d-e580b18692b9",
            "shortName": "CoolKit"
          },
          "references": [
            {
              "url": "https://ewelink.cc/security-advisory-240730/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The cloud has fixed the issue in the new version, and users do not need to do anything.\u003cbr\u003e"
                }
              ],
              "value": "The cloud has fixed the issue in the new version, and users do not need to do anything."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "tags": [
            "exclusively-hosted-service"
          ],
          "title": "sharing unnecessary device-sensitive information allows Secondary user able to take over devices as primary user",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "68870bb1-d075-4169-957d-e580b18692b9",
        "assignerShortName": "CoolKit",
        "cveId": "CVE-2024-7205",
        "datePublished": "2024-07-31T05:51:03.427Z",
        "dateReserved": "2024-07-29T11:11:17.421Z",
        "dateUpdated": "2024-07-31T14:56:35.429Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-3130 (GCVE-0-2024-3130)

    Vulnerability from cvelistv5 – Published: 2024-04-01 09:13 – Updated: 2025-08-27 21:23
    VLAI
    Title
    Insecure Data Storage leading to sensitive Information disclosure.
    Summary
    Hard-coded Credentials in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    References
    Impacted products
    Vendor Product Version
    CoolKIt eWeLink APP Affected: 0 , < 5.4.x (custom)
    Create a notification for this product.
    Credits
    Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd. Vaishali Nagori, Senior Security Researcher, FEV India Pvt Ltd.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.7,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3130",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-02T14:26:29.391805Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-27T21:23:01.088Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T19:32:42.974Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://ewelink.cc/security-advisories-and-notices/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Android",
                "iOS"
              ],
              "product": "eWeLink APP",
              "vendor": "CoolKIt",
              "versions": [
                {
                  "lessThan": "5.4.x",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd."
            },
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Vaishali Nagori, Senior Security Researcher, FEV India Pvt Ltd."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHard-coded Credentials\u003c/span\u003e\u0026nbsp;in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to\u0026nbsp;unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Hard-coded Credentials\u00a0in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to\u00a0unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-01T09:15:47.799Z",
            "orgId": "68870bb1-d075-4169-957d-e580b18692b9",
            "shortName": "CoolKit"
          },
          "references": [
            {
              "url": "https://ewelink.cc/security-advisories-and-notices/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate to the latest version of the app.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "Update to the latest version of the app.\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": " Insecure Data Storage leading to sensitive Information disclosure.",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "68870bb1-d075-4169-957d-e580b18692b9",
        "assignerShortName": "CoolKit",
        "cveId": "CVE-2024-3130",
        "datePublished": "2024-04-01T09:13:53.082Z",
        "dateReserved": "2024-04-01T09:11:45.225Z",
        "dateUpdated": "2025-08-27T21:23:01.088Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-6998 (GCVE-0-2023-6998)

    Vulnerability from cvelistv5 – Published: 2023-12-30 18:32 – Updated: 2024-10-10 15:36
    VLAI
    Title
    Lockscreen bypass in eWeLink App
    Summary
    Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.This issue affects eWeLink before 5.2.0.
    CWE
    • CWE-305 - Authentication Bypass by Primary Weakness
    Assigner
    References
    Impacted products
    Credits
    Jan Adamski (NASK)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:50:07.670Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://cert.pl/en/posts/2023/12/CVE-2023-6998/"
              },
              {
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://cert.pl/posts/2023/12/CVE-2023-6998/"
              },
              {
                "tags": [
                  "product",
                  "x_transferred"
                ],
                "url": "https://ewelink.cc/app/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://play.google.com/store/apps/details?id=com.coolkit",
              "defaultStatus": "unaffected",
              "platforms": [
                "Android"
              ],
              "product": "eWeLink - Smart Home",
              "vendor": "CoolKit Technology",
              "versions": [
                {
                  "lessThan": "5.2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "collectionURL": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158",
              "defaultStatus": "unaffected",
              "platforms": [
                "iOS"
              ],
              "product": "eWeLink-Smart Home",
              "vendor": "CoolKit Technology",
              "versions": [
                {
                  "lessThan": "5.2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Jan Adamski (NASK)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.\u003cp\u003eThis issue affects eWeLink before 5.2.0.\u003c/p\u003e"
                }
              ],
              "value": "Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.This issue affects eWeLink before 5.2.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-305",
                  "description": "CWE-305 Authentication Bypass by Primary Weakness",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-10T15:36:12.108Z",
            "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
            "shortName": "CERT-PL"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://cert.pl/en/posts/2023/12/CVE-2023-6998/"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://cert.pl/posts/2023/12/CVE-2023-6998/"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://ewelink.cc/app/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Lockscreen bypass in eWeLink App",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "assignerShortName": "CERT-PL",
        "cveId": "CVE-2023-6998",
        "datePublished": "2023-12-30T18:32:07.452Z",
        "dateReserved": "2023-12-20T14:04:20.543Z",
        "dateUpdated": "2024-10-10T15:36:12.108Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-27941 (GCVE-0-2021-27941)

    Vulnerability from cvelistv5 – Published: 2021-05-06 20:31 – Updated: 2024-08-03 21:33
    VLAI
    Summary
    Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:33:16.407Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/salgio/eWeLink-QR-Code"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Unconstrained Web access to the device\u0027s private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-05-06T20:31:53.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/salgio/eWeLink-QR-Code"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2021-27941",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Unconstrained Web access to the device\u0027s private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US",
                  "refsource": "MISC",
                  "url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
                },
                {
                  "name": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158",
                  "refsource": "MISC",
                  "url": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158"
                },
                {
                  "name": "https://github.com/salgio/eWeLink-QR-Code",
                  "refsource": "MISC",
                  "url": "https://github.com/salgio/eWeLink-QR-Code"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2021-27941",
        "datePublished": "2021-05-06T20:31:53.000Z",
        "dateReserved": "2021-03-03T00:00:00.000Z",
        "dateUpdated": "2024-08-03T21:33:16.407Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-12702 (GCVE-0-2020-12702)

    Vulnerability from cvelistv5 – Published: 2021-02-24 13:58 – Updated: 2024-08-04 12:04
    VLAI
    Summary
    Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T12:04:22.546Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/salgio/ESPTouchCatcher"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.youtube.com/watch?v=DghYH7WY6iE\u0026feature=youtu.be"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-24T13:58:28.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/salgio/ESPTouchCatcher"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.youtube.com/watch?v=DghYH7WY6iE\u0026feature=youtu.be"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-12702",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US",
                  "refsource": "MISC",
                  "url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
                },
                {
                  "name": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965",
                  "refsource": "MISC",
                  "url": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965"
                },
                {
                  "name": "https://github.com/salgio/ESPTouchCatcher",
                  "refsource": "MISC",
                  "url": "https://github.com/salgio/ESPTouchCatcher"
                },
                {
                  "name": "https://www.youtube.com/watch?v=DghYH7WY6iE\u0026feature=youtu.be",
                  "refsource": "MISC",
                  "url": "https://www.youtube.com/watch?v=DghYH7WY6iE\u0026feature=youtu.be"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-12702",
        "datePublished": "2021-02-24T13:58:28.000Z",
        "dateReserved": "2020-05-07T00:00:00.000Z",
        "dateUpdated": "2024-08-04T12:04:22.546Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }