CVE-2020-21998
published 2021-04-27CVE-2020-21998: In HomeAutomation 3.3.2 input passed via the 'redirect' GET parameter in 'api.php' script is not properly verified before being used to redirect users. This…
PriorityP335medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
1.32%
67.3th percentile
In HomeAutomation 3.3.2 input passed via the 'redirect' GET parameter in 'api.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| homeautomation_project | homeautomation | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
HomeAutomation 3.3.2 - Open Redirect
nuclei·CVSS 6.1
CVE-2020-21998 [MEDIUM] HomeAutomation 3.3.2 - Open Redirect
HomeAutomation 3.3.2 - Open Redirect
HomeAutomation 3.3.2 contains a redirect vulnerability caused by improper verification of the 'redirect' GET parameter in 'api.php', letting attackers redirect users to arbitrary websites, exploit requires user interaction with a crafted link.
Template:
id: CVE-2020-21998
info:
name: HomeAutomation 3.3.2 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
HomeAutomation 3.3.2 contains a redirect vulnerability caused by improper verification of the 'redirect' GET parameter in 'api.php', letting attackers redirect users to arbitrary websites, exploit requires user interaction with a crafted link.
impact: |
Attackers can redirect users to malicious external websites through crafted links, potentially facilitating phishing attacks or malwar
2021-04-27
Published