Refine your search
10 vulnerabilities found for by Logitech
CVE-2024-8258 (GCVE-0-2024-8258)
Vulnerability from cvelistv5
Published
2024-09-10 08:36
Modified
2024-09-10 13:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
Improper Control of Generation of Code ('Code Injection') in Electron Fuses in Logitech Options Plus version 1.60.496306 on macOS allows attackers to execute arbitrary code via insecure Electron Fuses configuration.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Logitech | Logitech Options Plus |
Version: 1.60.496306 ≤ |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:logitech:options_plus:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "options_plus",
"vendor": "logitech",
"versions": [
{
"lessThan": "1.70",
"status": "affected",
"version": "1.60.496306",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8258",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T13:54:25.415583Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T13:56:50.325Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"MacOS"
],
"product": "Logitech Options Plus",
"vendor": "Logitech",
"versions": [
{
"lessThan": "1.70",
"status": "affected",
"version": "1.60.496306",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.70"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dave F - https://hackerone.com/dave23p"
}
],
"datePublic": "2024-08-30T07:29:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) in Electron Fuses in Logitech Options Plus version 1.60.496306 on macOS allows attackers to execute arbitrary code via insecure Electron Fuses configuration.\u003cbr\u003e"
}
],
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) in Electron Fuses in Logitech Options Plus version 1.60.496306 on macOS allows attackers to execute arbitrary code via insecure Electron Fuses configuration."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/AU:Y/R:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T08:36:34.326Z",
"orgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
"shortName": "Logitech"
},
"references": [
{
"url": "https://www.electronjs.org/docs/latest/tutorial/fuses"
},
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50643"
},
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49314"
},
{
"url": "https://github.com/r3ggi/electroniz3r"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate to Logitech Options Plus version 1.70 or later.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Update to Logitech Options Plus version 1.70 or later."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_Electron",
"x_Code Injection",
"x_macOS"
],
"title": "Insecure Electron Fuses in Logitech Options Plus Allowing Arbitrary Code Execution on macOS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
"assignerShortName": "Logitech",
"cveId": "CVE-2024-8258",
"datePublished": "2024-09-10T08:36:34.326Z",
"dateReserved": "2024-08-28T08:47:03.078Z",
"dateUpdated": "2024-09-10T13:56:50.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8011 (GCVE-0-2024-8011)
Vulnerability from cvelistv5
Published
2024-08-25 11:44
Modified
2024-08-26 15:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Logitech Options+ on MacOS prior 1.72 allows a local attacker to inject dynamic library within Options+ runtime and abuse permissions granted by the user to Options+ such as Camera.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8011",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T15:28:24.704754Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T15:28:33.495Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"MacOS"
],
"product": "Options+",
"vendor": "Logitech",
"versions": [
{
"status": "unaffected",
"version": "1.72.564177",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.70.551909",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ferdogan"
}
],
"datePublic": "2024-08-20T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Logitech Options+ on MacOS prior 1.72 allows a local attacker to inject dynamic library within Options+ runtime and abuse permissions granted by the user to Options+ such as Camera.\u0026nbsp;"
}
],
"value": "Logitech Options+ on MacOS prior 1.72 allows a local attacker to inject dynamic library within Options+ runtime and abuse permissions granted by the user to Options+ such as Camera."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-25T11:44:45.839Z",
"orgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
"shortName": "Logitech"
},
"references": [
{
"tags": [
"permissions-required"
],
"url": "https://www.hackerone.com"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
"assignerShortName": "Logitech",
"cveId": "CVE-2024-8011",
"datePublished": "2024-08-25T11:44:45.839Z",
"dateReserved": "2024-08-20T14:15:07.515Z",
"dateUpdated": "2024-08-26T15:28:33.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4031 (GCVE-0-2024-4031)
Vulnerability from cvelistv5
Published
2024-04-23 06:29
Modified
2024-08-01 20:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-428 - Unquoted Search Path or Element
Summary
Unquoted Search Path or Element vulnerability in Logitech MEVO WEBCAM APP on Windows allows Local Execution of Code.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Logitech | MEVO WEBCAM APP |
Version: 0 < 0.8.0 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:logitech:mevo_webcam_app:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mevo_webcam_app",
"vendor": "logitech",
"versions": [
{
"status": "affected",
"version": "-"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4031",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-23T13:56:22.229567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:55:35.778Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:26:57.253Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cwe.mitre.org/data/definitions/428.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "MEVO WEBCAM APP",
"vendor": "Logitech",
"versions": [
{
"lessThan": "0.8.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arun George Jose, Alaa Kachouh"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unquoted Search Path or Element vulnerability in Logitech MEVO WEBCAM APP on Windows allows Local Execution of Code."
}
],
"value": "Unquoted Search Path or Element vulnerability in Logitech MEVO WEBCAM APP on Windows allows Local Execution of Code."
}
],
"impacts": [
{
"capecId": "CAPEC-549",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-549 Local Execution of Code"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-428",
"description": "CWE-428 Unquoted Search Path or Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-23T08:37:56.500Z",
"orgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
"shortName": "Logitech"
},
"references": [
{
"url": "https://cwe.mitre.org/data/definitions/428.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MEVO WEBCAM APP Windows Unquoted Service Path Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
"assignerShortName": "Logitech",
"cveId": "CVE-2024-4031",
"datePublished": "2024-04-23T06:29:58.858Z",
"dateReserved": "2024-04-22T15:40:56.836Z",
"dateUpdated": "2024-08-01T20:26:57.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2537 (GCVE-0-2024-2537)
Vulnerability from cvelistv5
Published
2024-03-15 17:12
Modified
2024-08-01 19:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-913 - Improper Control of Dynamically-Managed Code Resources
Summary
Improper Control of Dynamically-Managed Code Resources vulnerability in Logitech Logi Tune on MacOS allows Local Code Inclusion.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2537",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-19T15:26:00.720634Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:30:25.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:18:46.975Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://hackerone.com/reports/2376663"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"MacOS"
],
"product": "Logi Tune",
"vendor": "Logitech",
"versions": [
{
"status": "unaffected",
"version": "3.5.249"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Fatih ERDOGAN (ferdogan)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Dynamically-Managed Code Resources vulnerability in Logitech Logi Tune on MacOS allows Local Code Inclusion."
}
],
"value": "Improper Control of Dynamically-Managed Code Resources vulnerability in Logitech Logi Tune on MacOS allows Local Code Inclusion."
}
],
"impacts": [
{
"capecId": "CAPEC-251",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-251 Local Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-913",
"description": "CWE-913 Improper Control of Dynamically-Managed Code Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-15T17:12:10.804Z",
"orgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
"shortName": "Logitech"
},
"references": [
{
"url": "https://hackerone.com/reports/2376663"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Electron Code Injection in Logi Tune macOS Application",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
"assignerShortName": "Logitech",
"cveId": "CVE-2024-2537",
"datePublished": "2024-03-15T17:12:10.804Z",
"dateReserved": "2024-03-15T16:56:21.392Z",
"dateUpdated": "2024-08-01T19:18:46.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0916 (GCVE-0-2022-0916)
Vulnerability from cvelistv5
Published
2022-05-03 13:40
Modified
2024-09-17 02:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
An issue was discovered in Logitech Options. The OAuth 2.0 state parameter was not properly validated. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:43.244Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.logi.com/hc/en-us/articles/360025297893"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Windows"
],
"product": "Options",
"vendor": "Logitech",
"versions": [
{
"lessThan": "9.60.87",
"status": "affected",
"version": "9.60.87",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Karan Bamal"
}
],
"datePublic": "2022-04-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Logitech Options. The OAuth 2.0 state parameter was not properly validated. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-03T13:40:09.000Z",
"orgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
"shortName": "Logitech"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.logi.com/hc/en-us/articles/360025297893"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to Logitech Options 9.60.87"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Broken authentication on Logitech Options due to misvalidation of Oauth state parameter",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-coordination@logitech.com",
"DATE_PUBLIC": "2022-04-08T11:48:00.000Z",
"ID": "CVE-2022-0916",
"STATE": "PUBLIC",
"TITLE": "Broken authentication on Logitech Options due to misvalidation of Oauth state parameter"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Options",
"version": {
"version_data": [
{
"platform": "Windows",
"version_affected": "\u003c",
"version_name": "9.60.87",
"version_value": "9.60.87"
}
]
}
}
]
},
"vendor_name": "Logitech"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Karan Bamal"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Logitech Options. The OAuth 2.0 state parameter was not properly validated. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.logi.com/hc/en-us/articles/360025297893",
"refsource": "MISC",
"url": "https://support.logi.com/hc/en-us/articles/360025297893"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to Logitech Options 9.60.87"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
"assignerShortName": "Logitech",
"cveId": "CVE-2022-0916",
"datePublished": "2022-05-03T13:40:09.127Z",
"dateReserved": "2022-03-10T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:26:48.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0915 (GCVE-0-2022-0915)
Vulnerability from cvelistv5
Published
2022-04-12 18:35
Modified
2024-09-16 18:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Summary
There is a Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability in Logitech Sync for Windows prior to 2.4.574. Successful exploitation of these vulnerabilities may escalate the permission to the system user.
References
| URL | Tags | |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:42.807Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://prosupport.logi.com/hc/en-us/articles/360040085114-Download-Logitech-Sync"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Windows"
],
"product": "Sync",
"vendor": "Logitech",
"versions": [
{
"lessThan": "2.4.574",
"status": "affected",
"version": "prior to 2.4.574",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Karan Bamal"
}
],
"datePublic": "2022-04-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "There is a Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability in Logitech Sync for Windows prior to 2.4.574. Successful exploitation of these vulnerabilities may escalate the permission to the system user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-12T18:35:09.000Z",
"orgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
"shortName": "Logitech"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://prosupport.logi.com/hc/en-us/articles/360040085114-Download-Logitech-Sync"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.4.574"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Logitech Sync desktop application prior to 2.4.574 - TOCTOU during installation leads to privelege escalation",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-coordination@logitech.com",
"DATE_PUBLIC": "2022-04-08T20:31:00.000Z",
"ID": "CVE-2022-0915",
"STATE": "PUBLIC",
"TITLE": "Logitech Sync desktop application prior to 2.4.574 - TOCTOU during installation leads to privelege escalation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Sync",
"version": {
"version_data": [
{
"platform": "Windows",
"version_affected": "\u003c",
"version_name": "prior to 2.4.574",
"version_value": "2.4.574"
}
]
}
}
]
},
"vendor_name": "Logitech"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Karan Bamal"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There is a Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability in Logitech Sync for Windows prior to 2.4.574. Successful exploitation of these vulnerabilities may escalate the permission to the system user."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://prosupport.logi.com/hc/en-us/articles/360040085114-Download-Logitech-Sync",
"refsource": "MISC",
"url": "https://prosupport.logi.com/hc/en-us/articles/360040085114-Download-Logitech-Sync"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.4.574"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b573e801-1dd3-4adf-bd73-c9b814fbe067",
"assignerShortName": "Logitech",
"cveId": "CVE-2022-0915",
"datePublished": "2022-04-12T18:35:09.413Z",
"dateReserved": "2022-03-10T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:35:00.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-15721 (GCVE-0-2018-15721)
Vulnerability from cvelistv5
Published
2018-12-20 21:00
Modified
2024-09-17 02:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
The XMPP server in Logitech Harmony Hub before version 4.15.206 is vulnerable to authentication bypass via a crafted XMPP request. Remote attackers can use this vulnerability to gain access to the local API.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Logitech | Logitech Harmony Hub |
Version: Firmware before 4.15.206 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.591Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2018-47"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Logitech Harmony Hub",
"vendor": "Logitech",
"versions": [
{
"status": "affected",
"version": "Firmware before 4.15.206"
}
]
}
],
"datePublic": "2018-12-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The XMPP server in Logitech Harmony Hub before version 4.15.206 is vulnerable to authentication bypass via a crafted XMPP request. Remote attackers can use this vulnerability to gain access to the local API."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-20T20:57:01.000Z",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.tenable.com/security/research/tra-2018-47"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnreport@tenable.com",
"DATE_PUBLIC": "2018-12-19T00:00:00",
"ID": "CVE-2018-15721",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Logitech Harmony Hub",
"version": {
"version_data": [
{
"version_value": "Firmware before 4.15.206"
}
]
}
}
]
},
"vendor_name": "Logitech"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The XMPP server in Logitech Harmony Hub before version 4.15.206 is vulnerable to authentication bypass via a crafted XMPP request. Remote attackers can use this vulnerability to gain access to the local API."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.tenable.com/security/research/tra-2018-47",
"refsource": "MISC",
"url": "https://www.tenable.com/security/research/tra-2018-47"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2018-15721",
"datePublished": "2018-12-20T21:00:00.000Z",
"dateReserved": "2018-08-22T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:26:25.523Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-15720 (GCVE-0-2018-15720)
Vulnerability from cvelistv5
Published
2018-12-20 21:00
Modified
2024-09-16 20:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-798 - Hard-coded credentials
Summary
Logitech Harmony Hub before version 4.15.206 contained two hard-coded accounts in the XMPP server that gave remote users access to the local API.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Logitech | Logitech Harmony Hub |
Version: Firmware before 4.15.206 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.613Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2018-47"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Logitech Harmony Hub",
"vendor": "Logitech",
"versions": [
{
"status": "affected",
"version": "Firmware before 4.15.206"
}
]
}
],
"datePublic": "2018-12-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Logitech Harmony Hub before version 4.15.206 contained two hard-coded accounts in the XMPP server that gave remote users access to the local API."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Hard-coded credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-20T20:57:01.000Z",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.tenable.com/security/research/tra-2018-47"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnreport@tenable.com",
"DATE_PUBLIC": "2018-12-19T00:00:00",
"ID": "CVE-2018-15720",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Logitech Harmony Hub",
"version": {
"version_data": [
{
"version_value": "Firmware before 4.15.206"
}
]
}
}
]
},
"vendor_name": "Logitech"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Logitech Harmony Hub before version 4.15.206 contained two hard-coded accounts in the XMPP server that gave remote users access to the local API."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-798 Hard-coded credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.tenable.com/security/research/tra-2018-47",
"refsource": "MISC",
"url": "https://www.tenable.com/security/research/tra-2018-47"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2018-15720",
"datePublished": "2018-12-20T21:00:00.000Z",
"dateReserved": "2018-08-22T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:59:02.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-15722 (GCVE-0-2018-15722)
Vulnerability from cvelistv5
Published
2018-12-20 21:00
Modified
2024-09-17 02:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - OS Command Injection
Summary
The Logitech Harmony Hub before version 4.15.206 is vulnerable to OS command injection via the time update request. A remote server or man in the middle can inject OS commands with a properly formatted response.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Logitech | Logitech Harmony Hub |
Version: Firmware before 4.15.206 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.598Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2018-47"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Logitech Harmony Hub",
"vendor": "Logitech",
"versions": [
{
"status": "affected",
"version": "Firmware before 4.15.206"
}
]
}
],
"datePublic": "2018-12-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Logitech Harmony Hub before version 4.15.206 is vulnerable to OS command injection via the time update request. A remote server or man in the middle can inject OS commands with a properly formatted response."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-20T20:57:01.000Z",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.tenable.com/security/research/tra-2018-47"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnreport@tenable.com",
"DATE_PUBLIC": "2018-12-19T00:00:00",
"ID": "CVE-2018-15722",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Logitech Harmony Hub",
"version": {
"version_data": [
{
"version_value": "Firmware before 4.15.206"
}
]
}
}
]
},
"vendor_name": "Logitech"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Logitech Harmony Hub before version 4.15.206 is vulnerable to OS command injection via the time update request. A remote server or man in the middle can inject OS commands with a properly formatted response."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.tenable.com/security/research/tra-2018-47",
"refsource": "MISC",
"url": "https://www.tenable.com/security/research/tra-2018-47"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2018-15722",
"datePublished": "2018-12-20T21:00:00.000Z",
"dateReserved": "2018-08-22T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:42:06.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-15723 (GCVE-0-2018-15723)
Vulnerability from cvelistv5
Published
2018-12-20 21:00
Modified
2024-09-17 02:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-346 - Origin Validation Error
Summary
The Logitech Harmony Hub before version 4.15.206 is vulnerable to application level command injection via crafted HTTP request. An unauthenticated remote attacker can leverage this vulnerability to execute application defined commands (e.g. harmony.system?systeminfo).
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Logitech | Logitech Harmony Hub |
Version: Firmware before 4.15.206 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:54.663Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2018-47"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Logitech Harmony Hub",
"vendor": "Logitech",
"versions": [
{
"status": "affected",
"version": "Firmware before 4.15.206"
}
]
}
],
"datePublic": "2018-12-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Logitech Harmony Hub before version 4.15.206 is vulnerable to application level command injection via crafted HTTP request. An unauthenticated remote attacker can leverage this vulnerability to execute application defined commands (e.g. harmony.system?systeminfo)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346 Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-20T20:57:01.000Z",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.tenable.com/security/research/tra-2018-47"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnreport@tenable.com",
"DATE_PUBLIC": "2018-12-19T00:00:00",
"ID": "CVE-2018-15723",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Logitech Harmony Hub",
"version": {
"version_data": [
{
"version_value": "Firmware before 4.15.206"
}
]
}
}
]
},
"vendor_name": "Logitech"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Logitech Harmony Hub before version 4.15.206 is vulnerable to application level command injection via crafted HTTP request. An unauthenticated remote attacker can leverage this vulnerability to execute application defined commands (e.g. harmony.system?systeminfo)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-346 Origin Validation Error"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.tenable.com/security/research/tra-2018-47",
"refsource": "MISC",
"url": "https://www.tenable.com/security/research/tra-2018-47"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2018-15723",
"datePublished": "2018-12-20T21:00:00.000Z",
"dateReserved": "2018-08-22T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:10:50.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}