SmartThings
CVEs (40)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-3918 | Hig | 0.49 | 7.5 | 0.01 | Aug 27, 2018 | An exploitable vulnerability exists in the remote servers of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The hubCore process listens on port 39500 and relays any unauthenticated messages to SmartThings' remote servers, which incorrectly handle camera IDs for… | ||
| CVE-2024-34596 | Med | 0.38 | 5.9 | 0.00 | Jul 2, 2024 | Improper authentication in SmartThings prior to version 1.8.17 allows remote attackers to bypass the expiration date for members set by the owner. | ||
| CVE-2024-20852 | Med | 0.38 | 5.9 | 0.00 | Apr 2, 2024 | Improper verification of intent by broadcast receiver vulnerability in SmartThings prior to version 1.8.13.22 allows local attackers to access testing configuration. | ||
| CVE-2022-30747 | Med | 0.36 | 5.5 | 0.00 | Jun 7, 2022 | PendingIntent hijacking vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to access files without permission via implicit Intent. | ||
| CVE-2021-25508 | Med | 0.35 | 5.3 | 0.01 | Nov 5, 2021 | Improper privilege management vulnerability in API Key used in SmartThings prior to 1.7.73.22 allows an attacker to abuse the API key without limitation. | ||
| CVE-2021-25447 | Med | 0.35 | 5.3 | 0.01 | Aug 5, 2021 | Improper access control vulnerability in SmartThings prior to version 1.7.67.25 allows untrusted applications to cause local file inclusion in webview. | ||
| CVE-2021-25446 | Med | 0.35 | 5.3 | 0.01 | Aug 5, 2021 | Improper access control vulnerability in SmartThings prior to version 1.7.67.25 allows untrusted applications to cause arbitrary webpage loading in webview. | ||
| CVE-2021-25378 | Med | 0.28 | 4.3 | 0.01 | Apr 9, 2021 | Improper access control of certain port in SmartThings prior to version 1.7.63.6 allows remote temporary denial of service. | ||
| CVE-2023-21432 | Med | 0.27 | 4.2 | 0.00 | Feb 9, 2023 | Improper access control vulnerabilities in Smart Things prior to 1.7.93 allows to attacker to invite others without authorization of the owner. | ||
| CVE-2024-49416 | Med | 0.26 | 4.0 | 0.00 | Dec 3, 2024 | Use of implicit intent for sensitive communication in SmartThings prior to version 1.8.21 allows local attackers to get sensitive information. | ||
| CVE-2022-39871 | Med | 0.26 | 4.0 | 0.00 | Oct 7, 2022 | Improper access control vulnerability cloudNotificationManager.java in SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcasts. | ||
| CVE-2022-39870 | Med | 0.26 | 4.0 | 0.00 | Oct 7, 2022 | Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via PUSH_MESSAGE_RECEIVED broadcast. | ||
| CVE-2022-39869 | Med | 0.26 | 4.0 | 0.00 | Oct 7, 2022 | Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via REMOVE_PERSISTENT_BANNER broadcast. | ||
| CVE-2022-39868 | Med | 0.26 | 4.0 | 0.00 | Oct 7, 2022 | Improper access control vulnerability in GedSamsungAccount.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast. | ||
| CVE-2022-39867 | Med | 0.26 | 4.0 | 0.00 | Oct 7, 2022 | Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via SHOW_PERSISTENT_BANNER broadcast. | ||
| CVE-2022-39866 | Med | 0.26 | 4.0 | 0.00 | Oct 7, 2022 | Improper access control vulnerability in RegisteredEventMediator.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast. | ||
| CVE-2022-39865 | Med | 0.26 | 4.0 | 0.00 | Oct 7, 2022 | Improper access control vulnerability in ContentsSharingActivity.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast. | ||
| CVE-2022-39864 | Low | 0.21 | 3.3 | 0.00 | Oct 7, 2022 | Improper access control vulnerability in WifiSetupLaunchHelper in SmartThings prior to version 1.7.89.25 allows attackers to access sensitive information via implicit intent. | ||
| CVE-2022-30749 | Low | 0.21 | 3.3 | 0.00 | Jun 7, 2022 | Improper access control vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to add arbitrary smart devices by bypassing login activity. | ||
| CVE-2021-25404 | Low | 0.21 | 3.3 | 0.00 | Jun 11, 2021 | Information Exposure vulnerability in SmartThings prior to version 1.7.64.21 allows attacker to access user information via log. |
- risk 0.49cvss 7.5epss 0.01
An exploitable vulnerability exists in the remote servers of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The hubCore process listens on port 39500 and relays any unauthenticated messages to SmartThings' remote servers, which incorrectly handle camera IDs for…
- risk 0.38cvss 5.9epss 0.00
Improper authentication in SmartThings prior to version 1.8.17 allows remote attackers to bypass the expiration date for members set by the owner.
- risk 0.38cvss 5.9epss 0.00
Improper verification of intent by broadcast receiver vulnerability in SmartThings prior to version 1.8.13.22 allows local attackers to access testing configuration.
- risk 0.36cvss 5.5epss 0.00
PendingIntent hijacking vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to access files without permission via implicit Intent.
- risk 0.35cvss 5.3epss 0.01
Improper privilege management vulnerability in API Key used in SmartThings prior to 1.7.73.22 allows an attacker to abuse the API key without limitation.
- risk 0.35cvss 5.3epss 0.01
Improper access control vulnerability in SmartThings prior to version 1.7.67.25 allows untrusted applications to cause local file inclusion in webview.
- risk 0.35cvss 5.3epss 0.01
Improper access control vulnerability in SmartThings prior to version 1.7.67.25 allows untrusted applications to cause arbitrary webpage loading in webview.
- risk 0.28cvss 4.3epss 0.01
Improper access control of certain port in SmartThings prior to version 1.7.63.6 allows remote temporary denial of service.
- risk 0.27cvss 4.2epss 0.00
Improper access control vulnerabilities in Smart Things prior to 1.7.93 allows to attacker to invite others without authorization of the owner.
- risk 0.26cvss 4.0epss 0.00
Use of implicit intent for sensitive communication in SmartThings prior to version 1.8.21 allows local attackers to get sensitive information.
- risk 0.26cvss 4.0epss 0.00
Improper access control vulnerability cloudNotificationManager.java in SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcasts.
- risk 0.26cvss 4.0epss 0.00
Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via PUSH_MESSAGE_RECEIVED broadcast.
- risk 0.26cvss 4.0epss 0.00
Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via REMOVE_PERSISTENT_BANNER broadcast.
- risk 0.26cvss 4.0epss 0.00
Improper access control vulnerability in GedSamsungAccount.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.
- risk 0.26cvss 4.0epss 0.00
Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via SHOW_PERSISTENT_BANNER broadcast.
- risk 0.26cvss 4.0epss 0.00
Improper access control vulnerability in RegisteredEventMediator.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.
- risk 0.26cvss 4.0epss 0.00
Improper access control vulnerability in ContentsSharingActivity.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.
- risk 0.21cvss 3.3epss 0.00
Improper access control vulnerability in WifiSetupLaunchHelper in SmartThings prior to version 1.7.89.25 allows attackers to access sensitive information via implicit intent.
- risk 0.21cvss 3.3epss 0.00
Improper access control vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to add arbitrary smart devices by bypassing login activity.
- risk 0.21cvss 3.3epss 0.00
Information Exposure vulnerability in SmartThings prior to version 1.7.64.21 allows attacker to access user information via log.
Page 2 of 2