CVE-2018-6909

MEDIUM

Green Electronics RainMachine Mini-8 (2nd Gen) & Touch HD 12 - XSS

Title source: llm

Description

A missing X-Frame-Options header in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application could be used by a remote attacker for clickjacking, as demonstrated by triggering an API page request.

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

http://www.irongeek.com/i.php?page=videos/bsidesrdu2018/bsidesrdu-2018-07-when-it-rains-it-pours-sam-granger

Scores

CVSS v3 6.5

EPSS 0.0106

EPSS Percentile 60.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE

CWE-1021

Status published

Products (1)

rainmachine/rainmachine_web_application

Published Nov 01, 2018

Tracked Since Feb 18, 2026