Sign-up

ID

VAR-201402-0132


CVE

CVE-2013-6948


TITLE

Belkin Wemo Home Automation devices contain multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#656302

DESCRIPTION

The peerAddresses API in the Belkin WeMo Home Automation firmware before 3949 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. Belkin Wemo Home Automation devices contain multiple vulnerabilities. http://cwe.mitre.org/data/definitions/611.htmlBy a third party XML An injection attack may be performed and arbitrary files may be read. Attackers can exploit this issue to gain sensitive information of the system files

Trust: 3.24

sources: NVD: CVE-2013-6948 // CERT/CC: VU#656302 // JVNDB: JVNDB-2013-006068 // CNVD: CNVD-2014-01087 // BID: 65623 // VULHUB: VHN-66950

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2014-01087

AFFECTED PRODUCTS

vendor:belkinmodel:wemo home automationscope:eqversion:2769

Trust: 1.6

vendor:belkinmodel: - scope: - version: -

Trust: 0.8

vendor:belkinmodel:wemo home automationscope:ltversion:3949

Trust: 0.8

vendor:belkinmodel:international,inc home automation devicesscope: - version: -

Trust: 0.6

sources: CERT/CC: VU#656302 // CNVD: CNVD-2014-01087 // JVNDB: JVNDB-2013-006068 // CNNVD: CNNVD-201402-309 // NVD: CVE-2013-6948

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-6948
value: HIGH

Trust: 1.0

NVD: CVE-2013-6948
value: HIGH

Trust: 0.8

CNVD: CNVD-2014-01087
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201402-309
value: HIGH

Trust: 0.6

VULHUB: VHN-66950
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2013-6948
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-01087
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-66950
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2014-01087 // VULHUB: VHN-66950 // JVNDB: JVNDB-2013-006068 // CNNVD: CNNVD-201402-309 // NVD: CVE-2013-6948

PROBLEMTYPE DATA

problemtype:CWE-94

Trust: 1.9

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-66950 // JVNDB: JVNDB-2013-006068 // NVD: CVE-2013-6948

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201402-309

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201402-309

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-006068

PATCH
title:WeMo Home Automationurl:http://www.belkin.com/us/Products/home-automation/c/wemo-home-automation/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2013-006068

EXTERNAL IDS
db:CERT/CCid:VU#656302
Trust: 3.9
db:NVDid:CVE-2013-6948
Trust: 3.4
db:BIDid:65623
Trust: 1.0
db:JVNid:JVNVU97009803
Trust: 0.8
db:JVNDBid:JVNDB-2013-006068
Trust: 0.8
db:CNNVDid:CNNVD-201402-309
Trust: 0.7
db:CNVDid:CNVD-2014-01087
Trust: 0.6
db:VULHUBid:VHN-66950
Trust: 0.1
sources:
            
            
            CERT/CC: VU#656302 // 
            
            
            
            CNVD: CNVD-2014-01087 // 
            
            
            
            VULHUB: VHN-66950 // 
            
            
            
            BID: 65623 // 
            
            
            
            JVNDB: JVNDB-2013-006068 // 
            
            
            
            CNNVD: CNNVD-201402-309 // 
            
            
            
            NVD: CVE-2013-6948

REFERENCES
url:http://www.ioactive.com/pdfs/ioactive_belkin-advisory-lite.pdf
Trust: 3.3
url:http://www.kb.cert.org/vuls/id/656302
Trust: 2.3
url:http://cwe.mitre.org/data/definitions/611.html
Trust: 0.8
url:http://cwe.mitre.org/data/definitions/321.html
Trust: 0.8
url:http://cwe.mitre.org/data/definitions/494.html
Trust: 0.8
url:http://cwe.mitre.org/data/definitions/441.html
Trust: 0.8
url:http://cwe.mitre.org/data/definitions/319.html
Trust: 0.8
url:http://www.belkin.com/us/products/home-automation/c/wemo-home-automation
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-6948
Trust: 0.8
url:http://jvn.jp/vu/jvnvu97009803/
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6948
Trust: 0.8
url:http://www.kb.cert.org/vuls/id/656302\
Trust: 0.8
sources:
            
            
            CERT/CC: VU#656302 // 
            
            
            
            CNVD: CNVD-2014-01087 // 
            
            
            
            VULHUB: VHN-66950 // 
            
            
            
            JVNDB: JVNDB-2013-006068 // 
            
            
            
            CNNVD: CNNVD-201402-309 // 
            
            
            
            NVD: CVE-2013-6948

CREDITS
Mike Davis of IOActive.
Trust: 0.3
sources:
            
            
            BID: 65623

SOURCES
db:CERT/CCid:VU#656302
db:CNVDid:CNVD-2014-01087
db:VULHUBid:VHN-66950
db:BIDid:65623
db:JVNDBid:JVNDB-2013-006068
db:CNNVDid:CNNVD-201402-309
db:NVDid:CVE-2013-6948

LAST UPDATE DATE
2025-04-11T22:48:23.148000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#656302date:2014-07-29T00:00:00
db:CNVDid:CNVD-2014-01087date:2014-02-20T00:00:00
db:VULHUBid:VHN-66950date:2014-03-06T00:00:00
db:BIDid:65623date:2014-03-04T01:51:00
db:JVNDBid:JVNDB-2013-006068date:2014-02-25T00:00:00
db:CNNVDid:CNNVD-201402-309date:2014-02-25T00:00:00
db:NVDid:CVE-2013-6948date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:CERT/CCid:VU#656302date:2014-02-18T00:00:00
db:CNVDid:CNVD-2014-01087date:2014-02-20T00:00:00
db:VULHUBid:VHN-66950date:2014-02-22T00:00:00
db:BIDid:65623date:2014-02-18T00:00:00
db:JVNDBid:JVNDB-2013-006068date:2014-02-25T00:00:00
db:CNNVDid:CNNVD-201402-309date:2014-02-25T00:00:00
db:NVDid:CVE-2013-6948date:2014-02-22T21:55:09.203