CVE-2020-11015 Information

Description

A vulnerability has been disclosed in thinx-device-api IoT Device Management Server before version 2.5.0.\nDevice MAC address can be spoofed. This means initial registration requests without UDID and spoofed MAC\naddress may pass to create new UDID with same MAC address. Full impact needs to be reviewed further. Applies\nto all (mostly ESP8266/ESP32) users.\n\nThis has been fixed in firmware version 2.5.0.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Reference

https://github.com/suculent/thinx-device-api/security/advisories/GHSA-5x54-39xq-cwvc

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

NONE

Base Severity

9.1