HomeAutomation v3.3.2 CSRF Add Admin Vulnerability (CVE-2020-21989)

Vulnerability Key Information Title: HomeAutomation v3.3.2 CSRF Add Admin Exploit Advisory ID: ZSL-2019-5558 Type: Local/Remote Impact: Cross-Site Scripting Risk: (3/5) Release Date: 29.12.2019 Summary HomeAutomation is an open-source web interface and scheduling solution. Originally designed for Tellstick, it now operates on a plugin system and supports Crestron, OWFS, and Z-Wave (via OpenZWave). It uses an advanced scheduling system to control devices (switches, dimmers, etc.), taking into account measurements from various sensors. Through a house floor plan view, users can easily monitor device statuses. Description The application interface allows users to perform certain actions via HTTP requests without any validation checks to verify the requests. If an authenticated user visits a malicious website, this can be exploited to perform certain actions with administrative privileges. Vendor Tom Rosenback and Daniel Malmgren - Affected Version 3.3.2 Tested On Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips Apache/2.4.29 (Ubuntu) PHP/7.4.0RC4 PHP/7.3.11 PHP 7.2.24-0ubuntu0.18.04.1 Vendor Status [06.11.2019] Vulnerability discovered. [07.11.2019] Vendor contacted. [29.11.2019] No response from vendor. [30.11.2019] Vendor contacted again. [28.12.2019] No response from vendor. [29.12.2019] Public security advisory released. PoC homeautomation_csrf.txt Credits Vulnerability discovered by Gjoko Krstic - References [1] [2] [3] [4] [5] [6] [7] Changelog [29.12.2019] - Initial release [24.01.2020] - Added references [1], [2], [3], and [4] [19.06.2021] - Added references [5], [6], and [7]

Goal Reached Thanks to every supporter — we hit 100%!

HomeAutomation v3.3.2 CSRF Add Admin Vulnerability (CVE-2020-21989)