← back
CVE-2024-7205

sharing unnecessary device-sensitive information allows Secondary user able to take over devices as primary user

CVSS 9.4 CRITICALEPSS 0.5%CWE-201
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.4EPSS 0.5%KEV nãoPoC Patch
Lifecycle
31 Jul 2024Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
When the device is shared, the homepage module are before 2.19.0  in eWeLink Cloud Service allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:N/R:U/V:D/RE:L/U:Green
Affected products
CoolKit · eWeLink Cloud Service

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://ewelink.cc/security-advisory-240730/