Command Injection Vulnerability in Belkin Wemo Enabled Crock-Pot via SetSmartDevInfo Action

Command Injection Vulnerability in Belkin Wemo Enabled Crock-Pot via SetSmartDevInfo Action

CVE-2019-12780 · HIGH Severity

AV:N/AC:L/AU:N/C:P/I:P/A:P

The Belkin Wemo Enabled Crock-Pot allows command injection in the Wemo UPnP API via the SmartDevURL argument to the SetSmartDevInfo action. A simple POST request to /upnp/control/basicevent1 can allow an attacker to execute commands without authentication.

Learn more about our Api Penetration Testing.