| عنوان | pihome-shc PiHome HVAC 2.0 Missing Authorization |
|---|
| الوصف | A missing authorization vulnerability (CWE-862) was discovered in PiHome HVAC v2.0, specifically in the /user_accounts.php endpoint. The application does not verify whether the user initiating an account creation request has administrative privileges, allowing any authenticated user to create new admin accounts. This flaw can lead to full system compromise if exploited. Proper authorization checks and role-based access control (RBAC) are recommended to mitigate this issue. |
|---|
| المصدر | ⚠️ https://www.singto.io/pocsforexploits/pihomehvac-improper-access-control.md |
|---|
| المستخدم | Jelle Janssens (UID 81048) |
|---|
| ارسال | 10/02/2025 01:54 PM (1 سنة منذ) |
|---|
| الاعتدال | 10/02/2025 11:45 PM (10 hours later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 295173 [pihome-shc PiHome 2.0 Role-Based Access Control /user_accounts.php?uid تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|