Four format string injection vulnerabilities exist in the...
High severity
Unreviewed
Published
Oct 25, 2022
to the GitHub Advisory Database
•
Updated Jan 30, 2023
Description
Published by the National Vulnerability Database
Oct 25, 2022
Published to the GitHub Advisory Database
Oct 25, 2022
Last updated
Jan 30, 2023
Four format string injection vulnerabilities exist in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted HTTP request can lead to memory corruption, information disclosure and denial of service. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.This vulnerability arises from format string injection via the
wpapsk_hex
HTTP parameter, as used within the/action/wirelessConnect
handler.References