Search criteria
5 vulnerabilities by CoolKIt
CVE-2024-7205 (GCVE-0-2024-7205)
Vulnerability from cvelistv5 – Published: 2024-07-31 05:51 – Updated: 2024-07-31 14:56
VLAI?
Summary
When the device is shared, the homepage module are before 2.19.0 in eWeLink Cloud Service allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information.
Severity ?
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CoolKit | eWeLink Cloud Service |
Affected:
2.0.0 , < 2.19.0
(custom)
|
Credits
Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd.
Jerin Sunny, Security Researcher, FEV India Pvt Ltd.
Shakir Zari,Security Researcher,FEV India Pvt Ltd.
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:coolkit:ewelink:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ewelink",
"vendor": "coolkit",
"versions": [
{
"lessThan": "2.19.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7205",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-31T14:43:03.470070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T14:56:35.429Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"homepage"
],
"platforms": [
"Linux"
],
"product": "eWeLink Cloud Service",
"vendor": "CoolKit",
"versions": [
{
"lessThan": "2.19.0",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd."
},
{
"lang": "en",
"type": "reporter",
"value": "Jerin Sunny, Security Researcher, FEV India Pvt Ltd."
},
{
"lang": "en",
"type": "reporter",
"value": "Shakir Zari,Security Researcher,FEV India Pvt Ltd."
}
],
"datePublic": "2024-07-30T11:20:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u0026nbsp;When the device is shared,\u0026nbsp;the homepage module are before 2.19.0 \u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ein eWeLink Cloud Service\u0026nbsp;\u003c/span\u003eallows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information."
}
],
"value": "When the device is shared,\u00a0the homepage module are before 2.19.0 \u00a0in eWeLink Cloud Service\u00a0allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information."
}
],
"impacts": [
{
"capecId": "CAPEC-383",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-383 Harvesting Information via API Event Monitoring"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:N/R:U/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T05:51:03.427Z",
"orgId": "68870bb1-d075-4169-957d-e580b18692b9",
"shortName": "CoolKit"
},
"references": [
{
"url": "https://ewelink.cc/security-advisory-240730/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The cloud has fixed the issue in the new version, and users do not need to do anything.\u003cbr\u003e"
}
],
"value": "The cloud has fixed the issue in the new version, and users do not need to do anything."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"exclusively-hosted-service"
],
"title": "sharing unnecessary device-sensitive information allows Secondary user able to take over devices as primary user",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "68870bb1-d075-4169-957d-e580b18692b9",
"assignerShortName": "CoolKit",
"cveId": "CVE-2024-7205",
"datePublished": "2024-07-31T05:51:03.427Z",
"dateReserved": "2024-07-29T11:11:17.421Z",
"dateUpdated": "2024-07-31T14:56:35.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3130 (GCVE-0-2024-3130)
Vulnerability from cvelistv5 – Published: 2024-04-01 09:13 – Updated: 2025-08-27 21:23
VLAI?
Summary
Hard-coded Credentials in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app
Severity ?
5.7 (Medium)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CoolKIt | eWeLink APP |
Affected:
0 , < 5.4.x
(custom)
|
Credits
Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd.
Vaishali Nagori, Senior Security Researcher, FEV India Pvt Ltd.
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-3130",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-02T14:26:29.391805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T21:23:01.088Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:32:42.974Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://ewelink.cc/security-advisories-and-notices/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android",
"iOS"
],
"product": "eWeLink APP",
"vendor": "CoolKIt",
"versions": [
{
"lessThan": "5.4.x",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Aarav Sinha, Senior Security Researcher, FEV India Pvt Ltd."
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Vaishali Nagori, Senior Security Researcher, FEV India Pvt Ltd."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHard-coded Credentials\u003c/span\u003e\u0026nbsp;in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to\u0026nbsp;unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Hard-coded Credentials\u00a0in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to\u00a0unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-01T09:15:47.799Z",
"orgId": "68870bb1-d075-4169-957d-e580b18692b9",
"shortName": "CoolKit"
},
"references": [
{
"url": "https://ewelink.cc/security-advisories-and-notices/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate to the latest version of the app.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Update to the latest version of the app.\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": " Insecure Data Storage leading to sensitive Information disclosure.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "68870bb1-d075-4169-957d-e580b18692b9",
"assignerShortName": "CoolKit",
"cveId": "CVE-2024-3130",
"datePublished": "2024-04-01T09:13:53.082Z",
"dateReserved": "2024-04-01T09:11:45.225Z",
"dateUpdated": "2025-08-27T21:23:01.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6998 (GCVE-0-2023-6998)
Vulnerability from cvelistv5 – Published: 2023-12-30 18:32 – Updated: 2024-10-10 15:36
VLAI?
Summary
Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.This issue affects eWeLink before 5.2.0.
Severity ?
7.7 (High)
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| CoolKit Technology | eWeLink - Smart Home |
Affected:
0 , < 5.2.0
(custom)
|
|||||||
|
|||||||||
Credits
Jan Adamski (NASK)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:07.670Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/en/posts/2023/12/CVE-2023-6998/"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/posts/2023/12/CVE-2023-6998/"
},
{
"tags": [
"product",
"x_transferred"
],
"url": "https://ewelink.cc/app/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://play.google.com/store/apps/details?id=com.coolkit",
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "eWeLink - Smart Home",
"vendor": "CoolKit Technology",
"versions": [
{
"lessThan": "5.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158",
"defaultStatus": "unaffected",
"platforms": [
"iOS"
],
"product": "eWeLink-Smart Home",
"vendor": "CoolKit Technology",
"versions": [
{
"lessThan": "5.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jan Adamski (NASK)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.\u003cp\u003eThis issue affects eWeLink before 5.2.0.\u003c/p\u003e"
}
],
"value": "Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.This issue affects eWeLink before 5.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T15:36:12.108Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2023/12/CVE-2023-6998/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2023/12/CVE-2023-6998/"
},
{
"tags": [
"product"
],
"url": "https://ewelink.cc/app/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Lockscreen bypass in eWeLink App",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2023-6998",
"datePublished": "2023-12-30T18:32:07.452Z",
"dateReserved": "2023-12-20T14:04:20.543Z",
"dateUpdated": "2024-10-10T15:36:12.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27941 (GCVE-0-2021-27941)
Vulnerability from cvelistv5 – Published: 2021-05-06 20:31 – Updated: 2024-08-03 21:33
VLAI?
Summary
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:16.407Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/salgio/eWeLink-QR-Code"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Unconstrained Web access to the device\u0027s private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-06T20:31:53",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salgio/eWeLink-QR-Code"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-27941",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unconstrained Web access to the device\u0027s private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during a device pairing process."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US",
"refsource": "MISC",
"url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
},
{
"name": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158",
"refsource": "MISC",
"url": "https://apps.apple.com/us/app/ewelink-smart-home/id1035163158"
},
{
"name": "https://github.com/salgio/eWeLink-QR-Code",
"refsource": "MISC",
"url": "https://github.com/salgio/eWeLink-QR-Code"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-27941",
"datePublished": "2021-05-06T20:31:53",
"dateReserved": "2021-03-03T00:00:00",
"dateUpdated": "2024-08-03T21:33:16.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12702 (GCVE-0-2020-12702)
Vulnerability from cvelistv5 – Published: 2021-02-24 13:58 – Updated: 2024-08-04 12:04
VLAI?
Summary
Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/salgio/ESPTouchCatcher"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.youtube.com/watch?v=DghYH7WY6iE\u0026feature=youtu.be"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-24T13:58:28",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salgio/ESPTouchCatcher"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.youtube.com/watch?v=DghYH7WY6iE\u0026feature=youtu.be"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12702",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US",
"refsource": "MISC",
"url": "https://play.google.com/store/apps/details?id=com.coolkit\u0026hl=en_US"
},
{
"name": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965",
"refsource": "MISC",
"url": "https://dl.acm.org/doi/abs/10.1145/3411498.3419965"
},
{
"name": "https://github.com/salgio/ESPTouchCatcher",
"refsource": "MISC",
"url": "https://github.com/salgio/ESPTouchCatcher"
},
{
"name": "https://www.youtube.com/watch?v=DghYH7WY6iE\u0026feature=youtu.be",
"refsource": "MISC",
"url": "https://www.youtube.com/watch?v=DghYH7WY6iE\u0026feature=youtu.be"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12702",
"datePublished": "2021-02-24T13:58:28",
"dateReserved": "2020-05-07T00:00:00",
"dateUpdated": "2024-08-04T12:04:22.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}