CVE-2018-12716

MEDIUM

Google Home & Chromecast <mid-2018 - SSRF

Title source: llm
STIX 2.1

Description

The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding attacks from reading the scan_results JSON data, which allows remote attackers to determine the physical location of most web browsers by leveraging the presence of one of these devices on its local network, extracting the scan_results bssid fields, and sending these fields in a geolocation/v1/geolocate Google Maps Geolocation API request.

Scores

CVSS v3 4.3
EPSS 0.0070
EPSS Percentile 48.4%
Attack Vector ADJACENT_NETWORK
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-200
Status published
Products (2)
google/chromecast_firmware
google/home_firmware
Published Jun 25, 2018
Tracked Since Feb 18, 2026