CVE-2013-4863

EPSS 12.2%

The HomeAutomationGateway service in MiCasaVerde VeraLite with firmware 1.5.408 allows (1) remote attackers to execute arbitrary Lua code via a RunLua action in a request to upnp/control/hag on port 49451 or (2) remote authenticated users to execute arbitrary Lua code via a RunLua action in a request to port_49451/upnp/control/hag.

Affected products

n/a · n/a

public PoCs found — 4

cve_referencepacketstormsecurity.com/files/122654/MiCasaVerde-VeraLite-1.5.408-Traversal-Authorization-CSRF-Disclosure.htmlunverified cve_referencewww.exploit-db.com/exploits/27286unverified exploitdbwww.exploit-db.com/exploits/40589unverified exploitdbwww.exploit-db.com/exploits/27286unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/122654/MiCasaVerde-VeraLite-1.5.408-Traversal-Authorization-CSRF-Disclosure.html https://www3.trustwave.com/spiderlabs/advisories/TWSL2013-019.txt http://www.exploit-db.com/exploits/27286