CVE-2020-21998
MEDIUM NUCLEIHomeAutomation 3.3.2 - Open Redirect via Redirect Parameter in api.php
Title source: llmExploitation Summary
CVE-2020-21998 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
In HomeAutomation 3.3.2 input passed via the 'redirect' GET parameter in 'api.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.
Nuclei Templates (1)
HomeAutomation 3.3.2 - Open Redirect
MEDIUMVERIFIEDby 0x_Akoko
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5559.php
Exploit, Third Party Advisory x_refsource_misc
https://cxsecurity.com/issue/WLB-2019120132
Scores
CVSS v3
6.1
EPSS
0.0132
EPSS Percentile
67.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-601
Status
published
Products (1)
homeautomation_project/homeautomation
3.3.2
Published
Apr 27, 2021
Tracked Since
Feb 18, 2026