Menu
Security Advisory – Sharing unnecessary device-sensitive information allows Secondary user able to take over devices as primary user
| Title | Security Advisory – Sharing unnecessary device-sensitive information allows Secondary user able to take over devices as primary user |
|---|---|
| Release Date | 2024/7/30 |
| Abstract | When the device is shared, the homepage module are before 2.19.0 in eWeLink Cloud Service allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information.
cveid:CVE-2024-7205 |
| Affected Product | eWeLink Cloud Service homepage module |
| Affected Version | From 2.0.0 to 2.19.0 |
| Impact | By exploiting this vulnerability an Secondary user able to take over devices as primary user. |
| Technical Details | Exploitation Preconditions: The primary user shares the device with the Secondary user.
Technical Details: After the primary user shares the device with the secondary user, the secondary user can obtain all the device information through the cloud interface. It contains the device information shared by the primary user, which contains unnecessary key information, resulting in the secondary user can add the primary user's device to their account. |
| Resolution | The cloud has fixed the issue in the new released version, and users do not need to do anything |