CVE-2020-28713

Exploit

EPSS 0.65%
Veröffentlicht 08.06.2021 19:15:07
Zuletzt bearbeitet 21.11.2024 05:23:08
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Incorrect access control in push notification service in Night Owl Smart Doorbell FW version 20190505 allows remote users to send push notification events via an exposed PNS server. A remote attacker can passively record push notification events which are sent over an insecure web request. The web service does not authenticate requests, and allows attackers to send an indefinite amount of motion or doorbell events to a user's mobile application by either replaying or deliberately crafting false events.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nightowlsp ≫ Smart Doorbell Firmware Version20190505

Nightowlsp ≫ Smart Doorbell Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.65%	0.685

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.2	4.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
nvd@nist.gov	5.8	8.6	4.9	AV:N/AC:M/Au:N/C:N/I:P/A:P

CWE-294 Authentication Bypass by Capture-replay

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

https://cloud.binary.ninja/embed/26671c64-6859-48fb-b58e-af35dc982b35

Patch

Vendor Advisory

https://gist.github.com/tj-oconnor/dbfbef4d3b271d53fefbd24e1f0024f0

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2020-28713

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-28713

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-28713

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2020-28713