CVE-2024-7205 CRITICAL

CVE-2024-7205: sharing unnecessary device-sensitive information allows Secondary user able to take over devices as primary user

Vendor Coolkit
Product eWeLink Cloud Service
Weakness CWE-201
Published July 31, 2024
Last update July 31, 2024

CVSS base score

9.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:N/R:U/V:D/RE:L/U:Green

What the vulnerability does

01Description

When the device is shared, the homepage module are before 2.19.0  in eWeLink Cloud Service allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information.

Key dates

02Disclosure timeline

July 31, 2024 CVE published
July 31, 2024 Record updated