Refine your search
2 vulnerabilities found for by CoolKit
CVE-2024-7205 (GCVE-0-2024-7205)
Vulnerability from cvelistv5
Published
2024-07-31 05:51
Modified
2024-07-31 14:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Summary
When the device is shared, the homepage module are before 2.19.0 in eWeLink Cloud Service allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CoolKit | eWeLink Cloud Service |
Version: 2.0.0 < 2.19.0 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:coolkit:ewelink:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ewelink",
"vendor": "coolkit",
"versions": [
{
"lessThan": "2.19.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7205",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-31T14:43:03.470070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T14:56:35.429Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"homepage"
],
"platforms": [
"Linux"
],
"product": "eWeLink Cloud Service",
"vendor": "CoolKit",
"versions": [
{
"lessThan": "2.19.0",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd."
},
{
"lang": "en",
"type": "reporter",
"value": "Jerin Sunny, Security Researcher, FEV India Pvt Ltd."
},
{
"lang": "en",
"type": "reporter",
"value": "Shakir Zari,Security Researcher,FEV India Pvt Ltd."
}
],
"datePublic": "2024-07-30T11:20:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u0026nbsp;When the device is shared,\u0026nbsp;the homepage module are before 2.19.0 \u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ein eWeLink Cloud Service\u0026nbsp;\u003c/span\u003eallows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information."
}
],
"value": "When the device is shared,\u00a0the homepage module are before 2.19.0 \u00a0in eWeLink Cloud Service\u00a0allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information."
}
],
"impacts": [
{
"capecId": "CAPEC-383",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-383 Harvesting Information via API Event Monitoring"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:N/R:U/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T05:51:03.427Z",
"orgId": "68870bb1-d075-4169-957d-e580b18692b9",
"shortName": "CoolKit"
},
"references": [
{
"url": "https://ewelink.cc/security-advisory-240730/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The cloud has fixed the issue in the new version, and users do not need to do anything.\u003cbr\u003e"
}
],
"value": "The cloud has fixed the issue in the new version, and users do not need to do anything."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"exclusively-hosted-service"
],
"title": "sharing unnecessary device-sensitive information allows Secondary user able to take over devices as primary user",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "68870bb1-d075-4169-957d-e580b18692b9",
"assignerShortName": "CoolKit",
"cveId": "CVE-2024-7205",
"datePublished": "2024-07-31T05:51:03.427Z",
"dateReserved": "2024-07-29T11:11:17.421Z",
"dateUpdated": "2024-07-31T14:56:35.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3130 (GCVE-0-2024-3130)
Vulnerability from cvelistv5
Published
2024-04-01 09:13
Modified
2025-08-27 21:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-798 - Use of Hard-coded Credentials
Summary
Hard-coded Credentials in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CoolKIt | eWeLink APP |
Version: 0 < 5.4.x |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-3130",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-02T14:26:29.391805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T21:23:01.088Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:32:42.974Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://ewelink.cc/security-advisories-and-notices/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android",
"iOS"
],
"product": "eWeLink APP",
"vendor": "CoolKIt",
"versions": [
{
"lessThan": "5.4.x",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd."
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Vaishali Nagori, Senior Security Researcher, FEV India Pvt Ltd."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHard-coded Credentials\u003c/span\u003e\u0026nbsp;in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to\u0026nbsp;unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Hard-coded Credentials\u00a0in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to\u00a0unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-01T09:15:47.799Z",
"orgId": "68870bb1-d075-4169-957d-e580b18692b9",
"shortName": "CoolKit"
},
"references": [
{
"url": "https://ewelink.cc/security-advisories-and-notices/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate to the latest version of the app.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Update to the latest version of the app.\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": " Insecure Data Storage leading to sensitive Information disclosure.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "68870bb1-d075-4169-957d-e580b18692b9",
"assignerShortName": "CoolKit",
"cveId": "CVE-2024-3130",
"datePublished": "2024-04-01T09:13:53.082Z",
"dateReserved": "2024-04-01T09:11:45.225Z",
"dateUpdated": "2025-08-27T21:23:01.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}