CVE-2013-6948

CVSS v2.0 7.8 HIGH

7.8^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:C/I:N/A:N

Exploitability : 10.0 / Impact : 6.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact NONE

Availability Impact NONE

T

he peerAddresses API in the Belkin WeMo Home Automation firmware before 3949 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

References

Link	Resource
http://www.ioactive.com/pdfs/IOActive_Belkin-advisory-lite.pdf
http://www.kb.cert.org/vuls/id/656302	US Government Resource
http://www.ioactive.com/pdfs/IOActive_Belkin-advisory-lite.pdf
http://www.kb.cert.org/vuls/id/656302	US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:belkin:wemo_home_automation_firmware:2769:*:*:*:*:*:*:*

History

21 Nov 2024, 02:00

Type	Values Removed	Values Added
References	~~() http://www.ioactive.com/pdfs/IOActive_Belkin-advisory-lite.pdf -~~	() http://www.ioactive.com/pdfs/IOActive_Belkin-advisory-lite.pdf -
References	~~() http://www.kb.cert.org/vuls/id/656302 - US Government Resource~~	() http://www.kb.cert.org/vuls/id/656302 - US Government Resource

Information

Published : 2014-02-22 21:55

Updated : 2025-04-11 00:51

NVD link : CVE-2013-6948

Mitre link : CVE-2013-6948

CVE.ORG link : CVE-2013-6948

JSON object : View

Products Affected

wemo_home_automation_firmware

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2013-6948", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "[email protected]", "cvssData": {"version": "2.0", "baseScore": 7.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": true, "impactScore": 6.9, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-02-22T21:55:09.203", "references": [{"url": "http://www.ioactive.com/pdfs/IOActive_Belkin-advisory-lite.pdf", "source": "[email protected]"}, {"url": "http://www.kb.cert.org/vuls/id/656302", "tags": ["US Government Resource"], "source": "[email protected]"}, {"url": "http://www.ioactive.com/pdfs/IOActive_Belkin-advisory-lite.pdf", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.kb.cert.org/vuls/id/656302", "tags": ["US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "The peerAddresses API in the Belkin WeMo Home Automation firmware before 3949 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue."}, {"lang": "es", "value": "La API peerAddresses en la versi\u00f3n de firmware anterior a 3949 de Belkin WeMo Home Automation, permite a los atacantes remotos leer archivos arbitrarios por medio de un documento XML que contiene una declaraci\u00f3n de entidad externa en conjunci\u00f3n con una referencia de entidad, relacionada a un problema de tipo XML External Entity (XXE)."}], "lastModified": "2025-04-11T00:51:21.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:belkin:wemo_home_automation_firmware:2769:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "28ACACEF-ADE2-4A54-8F6D-281167EA4A0C"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}