Vulnerability Details CVE-2018-6908
An authentication bypass vulnerability exists in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application allowing an unauthenticated attacker to perform authenticated actions on the device via a 127.0.0.1:port value in the HTTP 'Host' header, as demonstrated by retrieving credentials.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.043
EPSS Ranking 88.3%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 5.0
References
Products affected by CVE-2018-6908
-
cpe:2.3:h:rainmachine:mini-8:-
-
cpe:2.3:h:rainmachine:touch_hd_12:-
-
cpe:2.3:o:rainmachine:mini-8_firmware:4.0.539
-
cpe:2.3:o:rainmachine:mini-8_firmware:4.0.558
-
cpe:2.3:o:rainmachine:mini-8_firmware:4.0.574
-
cpe:2.3:o:rainmachine:mini-8_firmware:4.0.636
-
cpe:2.3:o:rainmachine:mini-8_firmware:4.0.700
-
cpe:2.3:o:rainmachine:mini-8_firmware:4.0.712
-
cpe:2.3:o:rainmachine:mini-8_firmware:4.0.750
-
cpe:2.3:o:rainmachine:mini-8_firmware:4.0.844
-
cpe:2.3:o:rainmachine:mini-8_firmware:4.0.851
-
cpe:2.3:o:rainmachine:mini-8_firmware:4.0.900
-
cpe:2.3:o:rainmachine:mini-8_firmware:4.0.925
-
cpe:2.3:o:rainmachine:mini-8_firmware:4.0.926
-
cpe:2.3:o:rainmachine:mini-8_firmware:4.0.974
-
cpe:2.3:o:rainmachine:mini-8_firmware:4.0.975
-
cpe:2.3:o:rainmachine:touch_hd_12_firmware:4.0.539
-
cpe:2.3:o:rainmachine:touch_hd_12_firmware:4.0.558
-
cpe:2.3:o:rainmachine:touch_hd_12_firmware:4.0.574
-
cpe:2.3:o:rainmachine:touch_hd_12_firmware:4.0.636
-
cpe:2.3:o:rainmachine:touch_hd_12_firmware:4.0.700
-
cpe:2.3:o:rainmachine:touch_hd_12_firmware:4.0.712
-
cpe:2.3:o:rainmachine:touch_hd_12_firmware:4.0.750
-
cpe:2.3:o:rainmachine:touch_hd_12_firmware:4.0.844
-
cpe:2.3:o:rainmachine:touch_hd_12_firmware:4.0.851
-
cpe:2.3:o:rainmachine:touch_hd_12_firmware:4.0.900
-
cpe:2.3:o:rainmachine:touch_hd_12_firmware:4.0.925
-
cpe:2.3:o:rainmachine:touch_hd_12_firmware:4.0.926
-
cpe:2.3:o:rainmachine:touch_hd_12_firmware:4.0.974