How severe is CVE-2018-7298?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.1 out of 10.

What type of vulnerability is CVE-2018-7298?

This is classified as CWE-319, which is a common weakness in software security.

CVE-2018-7298 - HIGH Severity | CVSS 8.1

Vulnerability Description

In /usr/local/etc/config/addons/mh/loopupd.sh on eQ-3 AG HomeMatic CCU2 2.29.22 devices, software update packages are downloaded via the HTTP protocol, which does not provide any cryptographic protection of the downloaded contents. An attacker with a privileged network position (which could be obtained via DNS spoofing of www.meine-homematic.de or other approaches) can exploit this issue in order to provide arbitrary malicious firmware updates to the CCU2. This can result in a full system compromise.

Related Vulnerabilities

CVE-2017-1694

HIGH

CVSS:8.1(High)

IBM Integration Bus 9.0 and 10.0 transmits user credentials in plain in clear text which can be read by an attacker using man in the middle techniques. IBM X-Force ID: 134165.

CWE-3192017

CVE-2017-6432

HIGH

CVSS:8.1(High)

An issue was discovered on Dahua DHI-HCVR7216A-S3 3.210.0001.10 build 2016-06-06 devices. The Dahua DVR Protocol, which operates on TCP Port 37777, is an unencrypted, binary protocol. Performing a Man...

CWE-3192017

CVE-2018-13140

HIGH

CVSS:8.1(High)

Druide Antidote through 9.5.1 on Windows and Linux allows remote code execution through the update mechanism by leveraging use of HTTP to download installation packages.

CWE-3192018

CVE-2018-1360

HIGH

CVSS:8.1(High)

A cleartext transmission of sensitive information vulnerability in Fortinet FortiManager 5.2.0 through 5.2.7, 5.4.0 and 5.4.1 may allow an unauthenticated attacker in a man in the middle position to r...

CWE-3192018

CVE-2018-15752

HIGH

CVSS:8.1(High)

An issue was discovered in the MensaMax (aka com.breustedt.mensamax) application 4.3 for Android. Cleartext Transmission of Sensitive Information allows man-in-the-middle attackers to eavesdrop authen...

CWE-3192018

CVE-2018-8929

HIGH

CVSS:8.1(High)

Improper restriction of communication channel to intended endpoints vulnerability in HTTP daemon in Synology SSL VPN Client before 1.2.4-0224 allows remote attackers to conduct man-in-the-middle attac...

CWE-3192018