CVE-2024-50381: Missing Authentication for Critical Function in Snap One OVRC cloud
First published: Mon Dec 02 2024(Updated: )
A vulnerability exists in Snap One OVRC cloud where an attacker can impersonate a Hub device and send requests to claim and unclaim devices. The attacker only needs to provide the MAC address of the targeted device and can make a request to unclaim it from its original connection and make a request to claim it.
Credit: ics-cert@hq.dhs.gov
Remedy
Snap One has released the following updates/fixes for the affected products: * OvrC Pro v7.2 has been automatically pushed out to devices to update via OvrC cloud. * OvrC Pro v7.3 has been automatically pushed out to devices to update via OvrC cloud. * Disable UPnP. For more information, see Snap One’s Release Notes https://www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-p.pdf .
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/weakness
- agent/title
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/severity
- agent/author
- agent/tags
- agent/event