Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim's behalf, resulting in unauthorized Alexa access to the victim's Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
Tuya多款产品 安全漏洞
Vulnerability Description
Tuya Android SDK等都是中国涂鸦(Tuya)公司的产品。Tuya Android SDK是一个软件开发工具包。Tuya iOS SDK是一个软件开发工具包。Tuya Smart App是一个智能APP。 Tuya多款产品存在安全漏洞,该漏洞源于OAuth实现中未验证state参数,可能导致跨站请求伪造攻击。以下产品受到影响:Tuya Android SDK、Tuya iOS SDK、Tuya Smart和Tuya Smartlife。
CVSS Information
N/A
Vulnerability Type
N/A