Heatmiser Wifi Thermostat 1.7 Cross-Site Request Forgery

Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting the networkSetup.htm endpoint with parameters usnm, usps, and cfps to modify the admin username and password without user consent.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

跨站请求伪造(CSRF)

Heatmiser Wifi Thermostat 跨站请求伪造漏洞

Heatmiser Wifi Thermostat是英国Heatmiser公司的一款支持无线连接与远程控制的智能温控设备。 Heatmiser Wifi Thermostat 1.7版本存在跨站请求伪造漏洞，该漏洞源于对networkSetup.htm端点的请求验证不足，可能导致跨站请求伪造攻击。

N/A

N/A