CVE-2022-35887

HIGH

Abode Systems iota - Format String Injection

Title source: llm

Description

Four format string injection vulnerabilities exist in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted HTTP request can lead to memory corruption, information disclosure and denial of service. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.This vulnerability arises from format string injection via the `default_key_id` HTTP parameter, as used within the `/action/wirelessConnect` handler.

References (1)

[Exploit, Technical Description, Third Party Advisory] https://talosintelligence.com/vulnerability_reports/TALOS-2022-1585

Scores

CVSS v3 8.8

EPSS 0.0157

EPSS Percentile 81.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-134

Status published

Products (2)

goabode/iota_all-in-one_security_kit_firmware 6.9x

goabode/iota_all-in-one_security_kit_firmware 6.9z

Published Oct 25, 2022

Tracked Since Feb 18, 2026