CVE-2019-18938
First published: Thu Nov 14 2019(Updated: )
eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the E-Mail AddOn through 1.6.8.c installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the save.cgi script for payload upload and the testtcl.cgi script for its execution.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Hm Email Project Hm Email | =1.6.8c | |
| eQ-3 Homematic CCU2 | ||
| eQ-3 HomeMatic CCU2 firmware | =2.24.20 | |
| eQ-3 HomeMatic CCU3 | ||
| eQ-3 HomeMatic CCU3 firmware | =3.47.18 | |
| Hm Email Project Hm Email | =1.6.8b | |
| Hm Email Project Hm Email | =1.6.8a | |
| Hm Email Project Hm Email | =1.6.7c | |
| Hm Email Project Hm Email | =1.6.7b | |
| Hm Email Project Hm Email | =1.6.7a | |
| Hm Email Project Hm Email | =1.6.7 | |
| Hm Email Project Hm Email | =1.6.6 | |
| Hm Email Project Hm Email | =1.6.5 | |
| Hm Email Project Hm Email | =1.6.4 | |
| Hm Email Project Hm Email | =1.6.3 | |
| Hm Email Project Hm Email | =1.6.2 | |
| Hm Email Project Hm Email | =1.6.0 | |
| Hm Email Project Hm Email | =1.6.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-18938?
CVE-2019-18938 is a vulnerability that allows remote code execution on eQ-3 Homematic CCU2 and CCU3 with the E-Mail AddOn installed.
What is the severity of CVE-2019-18938?
CVE-2019-18938 has a severity rating of 9.8 (critical).
How does CVE-2019-18938 work?
CVE-2019-18938 allows unauthenticated attackers with access to the web interface to upload payload via the save.cgi script and execute it using the testtcl.cgi script.
Which software versions are affected by CVE-2019-18938?
eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the E-Mail AddOn through 1.6.8.c installed are affected by CVE-2019-18938.
How can I fix CVE-2019-18938?
To fix CVE-2019-18938, update the eQ-3 Homematic CCU2 and CCU3 firmware to versions that are not vulnerable, and ensure that the E-Mail AddOn is updated to a version that addresses the vulnerability.
- collector/nvd-index
- agent/author
- agent/severity
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/description
- agent/event
- agent/type
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/hm email project
- canonical/hm email project hm email
- version/hm email project hm email/1.6.8c
- vendor/eq-3
- canonical/eq-3 homematic ccu2
- canonical/eq-3 homematic ccu2 firmware
- version/eq-3 homematic ccu2 firmware/2.24.20
- canonical/eq-3 homematic ccu3
- canonical/eq-3 homematic ccu3 firmware
- version/eq-3 homematic ccu3 firmware/3.47.18
- version/hm email project hm email/1.6.8b
- version/hm email project hm email/1.6.8a
- version/hm email project hm email/1.6.7c
- version/hm email project hm email/1.6.7b
- version/hm email project hm email/1.6.7a
- version/hm email project hm email/1.6.7
- version/hm email project hm email/1.6.6
- version/hm email project hm email/1.6.5
- version/hm email project hm email/1.6.4
- version/hm email project hm email/1.6.3
- version/hm email project hm email/1.6.2
- version/hm email project hm email/1.6.0
- version/hm email project hm email/1.6.8