Loxone Smart Home Miniserver < 6.3 Multiple Vulnerabilities

Medium Nessus Plugin ID 81810


The remote device is affected by multiple vulnerabilities.


According to its banner, the remote Loxone Smart Home Miniserver device is a version prior to 6.3. It is, therefore, affected by multiple vulnerabilities :

- An information disclosure vulnerability exists due to the device transmitting all data in cleartext. A remote man-in-the-middle attacker can read the transmitted data, resulting in the disclosure of device credentials.
(VulnDB 118940)

- A cross-frame scripting vulnerability exists due to improper restriction of JavaScript from one web page accessing another when the page originates from different domains. A remote attacker can exploit this to use one web page to load content from another, concealing the origin of a web site. (VulnDB 118941)

- A cross-site request forgery (XSRF) vulnerability exists due to improper validation of HTTP requests. (VulnDB 118942)

- An HTTP response splitting vulnerability exists due to a failure to properly validate input appended to the response header. This allows an attacker to insert arbitrary HTTP headers to manipulate cookies and authentication status. (VulnDB 118943)

- Multiple reflected cross-site scripting vulnerabilities exist due to improper validation of HTTP requests.
(VulnDB 118944)

- A stored cross-site scripting vulnerability exists due to improper validation of the content in the description field of a new task. (118945)

- An information disclosure vulnerability exists due to the program storing user credentials in an insecure manner. The credentials are encrypted, but the key used for their decryption may be requested without authentication. (VulnDB 118946)

- Multiple denial of service vulnerabilities exist that can be exploited via SYN floods and malformed HTTP requests. (VulnDB 118947)

Note that Nessus has not tested for these issues but has instead relied only on the devices's self-reported version number.


Upgrade the Loxone Smart Home Miniserver firmware to version 6.3 or later.

Note that the two information disclosure vulnerabilities (VulnDB 118940 / 118946) still exist in firmware version 6.3. We are currently unaware of a solution for these issues.

See Also



Plugin Details

Severity: Medium

ID: 81810

File Name: loxone_smart_home_miniserver_6_3.nasl

Version: $Revision: 1.3 $

Type: remote

Family: Misc.

Published: 2015/03/13

Modified: 2016/06/20

Dependencies: 81811

Risk Information

Risk Factor: Medium


Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: x-cpe:/h:loxone:smart_home_miniserver

Required KB Items: installed_sw/Loxone Smart Home Miniserver

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2015/02/25

Vulnerability Publication Date: 2015/02/27

Reference Information

BID: 72804

OSVDB: 118940, 118941, 118942, 118943, 118944, 118945, 118946, 118947