CVE-2019-25233

CVE-2019-25233 describes a combination of cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities in AVE DOMINAplus home automation systems running version 1.10.x [1]. The root cause is insufficient validation of user-supplied input in the login.php and other administrative endpoints, which fail to enforce anti-CSRF tokens or properly sanitize output [1][3]. This allows an attacker to craft a malicious webpage that, when visited by an authenticated administrator, performs unauthorized actions on the DOMINAplus web server (model 53AB-WBS) [3].

Exploitation requires the target user to have an active session on the DOMINAplus interface and to be tricked into clicking a crafted link or visiting a malicious page [1][3]. No special network access is needed beyond the attacker being able to deliver the payload (e.g., via email or a compromised site). The attack leverages the lack of origin validation in form submissions, enabling actions like enabling or disabling the alarm system, modifying device states, or executing stored XSS payloads [3].

Successful exploitation can allow an attacker to change critical home automation settings (e.g., security alarms, lights, locks) and execute arbitrary JavaScript in the context of the victim's browser session [1][3]. This may lead to persistent manipulation of the smart home environment, data theft, or further compromise as the XSS can be used to capture credentials or perform subsequent attacks without the user's knowledge [3].

At the time of publication, the vendor AVE S.p.A. had not released a patch for versions 1.10.x; the vulnerability was publicly disclosed under ZSL-2019-5547 [1][3]. Users are advised to implement network-level protections (e.g., strict firewall rules preventing the web interface from being exposed to the internet) and to ensure the management interface is only accessible from trusted networks. No official fix has been confirmed, and the affected product lines may remain vulnerable if still in use [1][3][4].