VAR-202407-2627
Vulnerability from variot - Updated: 2025-11-18 14:38An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. There is no CSRF protection. Svakom of Siime Eye A cross-site request forgery vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state.
[Additional Information] The default settings make this attack theoretical rather than practical.
A lot of interaction takes place between the application and the end user. For correct functioning, it is important to verify that requests coming from the user actually represent the user's intention. The application must therefore be able to distinguish forged requests from legitimate ones. Currently no measures against Cross-Site Request Forgery have been implemented and therefore users can be tricked into submitting requests without their knowledge or consent. From the application's point of view, these requests are legitimate requests from the user and they will be processed as such. This can result in the creation of additional (administrative) user accounts, without the user’s knowledge or consent.
In order to execute a CSRF attack, a user must be tricked into visiting an attacker controlled page, using the same browser that is authenticated to the Siime Eye. As mostly the Hotspot from Siime Eye will be used, users are unlikely to (be able to) access such pages simultaneously.
[Vulnerability Type] Cross Site Request Forgery (CSRF)
[Vendor of Product] Svakom
[Affected Product Code Base] Siime Eye - 14.1.00000001.3.330.0.0.3.14
[Affected Component] Siime Eye, web interface
[Attack Type] Context-dependent
[Impact Escalation of Privileges] true
[CVE Impact Other] Full device compromise.
[Reference] N/A
[Has vendor confirmed or acknowledged the vulnerability?] true
[Discoverer] Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit in assignment of the Consumentenbond. Use CVE-2020-11919
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202407-2627",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "siime eye",
"scope": "eq",
"trust": 1.0,
"vendor": "svakom",
"version": "14.1.00000001.3.330.0.0.3.14"
},
{
"model": "siime eye",
"scope": null,
"trust": 0.8,
"vendor": "svakom",
"version": null
},
{
"model": "siime eye",
"scope": "eq",
"trust": 0.8,
"vendor": "svakom",
"version": "siime eye firmware 14.1.00000001.3.330.0.0.3.14"
},
{
"model": "siime eye",
"scope": "eq",
"trust": 0.8,
"vendor": "svakom",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-018371"
},
{
"db": "NVD",
"id": "CVE-2020-11919"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Willem Westerhof | Secura",
"sources": [
{
"db": "OTHER",
"id": null
}
],
"trust": 0.1
},
"cve": "CVE-2020-11919",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "ADJACENT",
"author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.1,
"id": "CVE-2020-11919",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Adjacent Network",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 8.0,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2020-018371",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"id": "CVE-2020-11919",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "OTHER",
"id": "JVNDB-2020-018371",
"trust": 0.8,
"value": "High"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-018371"
},
{
"db": "NVD",
"id": "CVE-2020-11919"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. There is no CSRF protection. Svakom of Siime Eye A cross-site request forgery vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. \n\n------------------------------------------\n\n[Additional Information]\nThe default settings make this attack theoretical rather than practical. \n\n\nA lot of interaction takes place between the application and the end\nuser. For correct functioning, it is important to verify that requests\ncoming from the user actually represent the user\u0027s intention. The\napplication must therefore be able to distinguish forged requests from\nlegitimate ones. Currently no measures against Cross-Site Request\nForgery have been implemented and therefore users can be tricked into\nsubmitting requests without their knowledge or consent. From the\napplication\u0027s point of view, these requests are legitimate requests\nfrom the user and they will be processed as such. This can result in\nthe creation of additional (administrative) user accounts, without the\nuser\u00e2\u20ac\u2122s knowledge or consent. \n\nIn order to execute a CSRF attack, a user must be tricked into visiting\nan attacker controlled page, using the same browser that is\nauthenticated to the Siime Eye. As mostly the Hotspot from Siime Eye\nwill be used, users are unlikely to (be able to) access such pages\nsimultaneously. \n\n------------------------------------------\n\n[Vulnerability Type]\nCross Site Request Forgery (CSRF)\n\n------------------------------------------\n\n[Vendor of Product]\nSvakom\n\n------------------------------------------\n\n[Affected Product Code Base]\nSiime Eye - 14.1.00000001.3.330.0.0.3.14\n\n------------------------------------------\n\n[Affected Component]\nSiime Eye, web interface\n\n------------------------------------------\n\n[Attack Type]\nContext-dependent\n\n------------------------------------------\n\n[Impact Escalation of Privileges]\ntrue\n\n------------------------------------------\n\n[CVE Impact Other]\nFull device compromise. \n\n------------------------------------------\n\n[Reference]\nN/A\n\n------------------------------------------\n\n[Has vendor confirmed or acknowledged the vulnerability?]\ntrue\n\n------------------------------------------\n\n[Discoverer]\nWillem Westerhof, Jasper Nota, Edwin Gozeling from Qbit in assignment of the Consumentenbond. \nUse CVE-2020-11919",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-11919"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-018371"
},
{
"db": "PACKETSTORM",
"id": "179798"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-11919",
"trust": 2.8
},
{
"db": "JVNDB",
"id": "JVNDB-2020-018371",
"trust": 0.8
},
{
"db": "OTHER",
"id": "NONE",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "179798",
"trust": 0.1
}
],
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "PACKETSTORM",
"id": "179798"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-018371"
},
{
"db": "NVD",
"id": "CVE-2020-11919"
}
]
},
"id": "VAR-202407-2627",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "OTHER",
"id": null
}
],
"trust": 0.01
},
"last_update_date": "2025-11-18T14:38:22.963000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-352",
"trust": 1.0
},
{
"problemtype": "Cross-site request forgery (CWE-352) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-018371"
},
{
"db": "NVD",
"id": "CVE-2020-11919"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.8,
"url": "https://seclists.org/fulldisclosure/2024/jul/14"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11919"
}
],
"sources": [
{
"db": "PACKETSTORM",
"id": "179798"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-018371"
},
{
"db": "NVD",
"id": "CVE-2020-11919"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "OTHER",
"id": null
},
{
"db": "PACKETSTORM",
"id": "179798"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-018371"
},
{
"db": "NVD",
"id": "CVE-2020-11919"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2024-07-26T13:11:06",
"db": "OTHER",
"id": null
},
{
"date": "2024-07-30T12:35:43",
"db": "PACKETSTORM",
"id": "179798"
},
{
"date": "2025-04-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-018371"
},
{
"date": "2024-11-07T18:15:15.517000",
"db": "NVD",
"id": "CVE-2020-11919"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2025-04-25T01:41:00",
"db": "JVNDB",
"id": "JVNDB-2020-018371"
},
{
"date": "2025-11-04T18:15:38.760000",
"db": "NVD",
"id": "CVE-2020-11919"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Svakom\u00a0 of \u00a0Siime\u00a0Eye\u00a0 Cross-site request forgery vulnerability in firmware",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-018371"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "csrf",
"sources": [
{
"db": "PACKETSTORM",
"id": "179798"
}
],
"trust": 0.1
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…