A vulnerability classified as problematic has been found in Xiaomi DGNWG03LM, ZNCZ03LM, MCCGQ01LM, WSDCGQ01LM and RTCGQ01LM 5.5.48. This affects some unknown processing of the component Zigbee Handler. The manipulation with an unknown input leads to a authorization vulnerability. CWE is classifying the issue as CWE-639. The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

An issue was discovered on Xiaomi DGNWG03LM, ZNCZ03LM, MCCGQ01LM, WSDCGQ01LM, RTCGQ01LM 5.5.48 devices. Because of insecure key transport in ZigBee communication, attackers can obtain sensitive information, cause a denial of service attack, take over smart home devices, and tamper with messages.

The weakness was presented 12/20/2019. This vulnerability is uniquely identified as CVE-2019-15913 since 09/04/2019. The exploitability is told to be difficult. Access to the local network is required for this attack to succeed. No form of authentication is needed for exploitation. Neither technical details nor an exploit are publicly available.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

See VDB-147575 and VDB-147574 for similar entries. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Vendor

• Xiaomi

Name

• DGNWG03LM
• MCCGQ01LM
• RTCGQ01LM
• WSDCGQ01LM
• ZNCZ03LM

Version

• 5.5.48

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion