5.6

CVE-2019-12820

EPSS 0.17%
Veröffentlicht 19.07.2019 18:15:11
Zuletzt bearbeitet 21.11.2024 04:23:39
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

A vulnerability was found in the app 2.0 of the Shenzhen Jisiwei i3 robot vacuum cleaner. Actions performed on the app such as changing a password, and personal information it communicates with the server, use unencrypted HTTP. As an example, while logging in through the app to a Jisiwei account, the login request is being sent in cleartext. The vulnerability exists in both the Android and iOS version of the app. An attacker could exploit this by using an MiTM attack on the local network to obtain someone's login credentials, which gives them full access to the robot vacuum cleaner.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Jisiwei ≫ I3 Firmware Version2.0

Jisiwei ≫ I3 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.382

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.6	2.2	3.4	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N

CWE-319 Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

https://www.kth.se/polopoly_fs/1.914058.1561621210%21/Olsson_Larsson-Forsberg_vacuum.pdf

https://nvd.nist.gov/vuln/detail/CVE-2019-12820

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-12820

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-12820

EUVD