CVE-2020-21990

HIGH

MyDomoAtHome REST API Domoticz ISS Gateway 0.2.40 - Unauthenticated Information Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-21990. PoCs published by LiquidWorm.

AI-analyzed exploit summary The exploit demonstrates an information disclosure vulnerability in MyDomoAtHome REST API (version 0.2.40) due to improper access control. Unauthenticated attackers can retrieve sensitive information, including camera credentials, via crafted HTTP requests to the `/devices` endpoint.

Description

Emmanuel MyDomoAtHome (MDAH) REST API REST API Domoticz ISS Gateway 0.2.40 is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specially crafted request to gain access to sensitive information.

Exploits (1)

exploitdb WORKING POC
by LiquidWorm · textwebappshardware
https://www.exploit-db.com/exploits/47824

The exploit demonstrates an information disclosure vulnerability in MyDomoAtHome REST API (version 0.2.40) due to improper access control. Unauthenticated attackers can retrieve sensitive information, including camera credentials, via crafted HTTP requests to the `/devices` endpoint.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: MyDomoAtHome REST API Domoticz ISS Gateway 0.2.40
No auth needed
Prerequisites: Network access to the target's REST API endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5555.php
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/47824

Scores

CVSS v3 7.5
EPSS 0.0233
EPSS Percentile 81.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-863
Status published
Products (1)
domoticz/mydomoathome 0.240
Published Apr 29, 2021
Tracked Since Feb 18, 2026