Vulnerability Note VU#857948
Honeywell Tuxedo Touch Controller contains multiple vulnerabilities
All versions of Honeywell Tuxedo Touch Controller are vulnerable to authentication bypass and cross-site request forgery (CSRF).
CWE-603: Use of Client-Side Authentication - CVE-2015-2847
A remote, unauthenticated attacker may be able to bypass authentication checks to view restricted pages, or trick an authenticated user into making an unintentional request to the web server which will be treated as an authentic request. Compromised Tuxedo Touch Controllers may be leveraged to operate home automation devices, such as unlocking or locking doors.
Apply an update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Honeywell||Affected||15 May 2015||16 Jun 2015|
CVSS Metrics (Learn More)
Thanks to Maxim Rupp for reporting this vulnerability.
This document was written by Joel Land.
- CVE IDs: CVE-2015-2847 CVE-2015-2848
- Date Public: 24 Jul 2015
- Date First Published: 24 Jul 2015
- Date Last Updated: 22 Mar 2017
- Document Revision: 20
If you have feedback, comments, or additional information about this vulnerability, please send us email.