CVE-2019-25233
CSRF and XSS in AVE DOMINAplus 1.10.x Enable Admin Takeover
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ave | domina_plus | 1.10 |
| ave | touch_screen_code_ts01 | 1.0.65 |
| ave | touch_screen_code_ts03x-v | 1.10.45a |
| apache | http_server | 2.2.22 |
| ave | web_server_code | 1.10.62 |
| ave | touch_screen_code_ts05 | 1.10.36 |
| php | php | 5.4.41 |
| apache | http_server | 2.4.7 |
| php | php | 5.5.9 |
| php | php | 5.4.36 |
| ave | domina | 1.10.x |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25233 affects AVE DOMINAplus 1.10.x, an advanced home automation system. It contains Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) vulnerabilities. Attackers can craft malicious web pages that exploit the login.php parameters and other HTTP requests to perform unauthorized administrative actions without user consent. The system fails to validate the authenticity of requests and does not properly sanitize input parameters, allowing attackers to execute arbitrary scripts in the context of a logged-in user's browser session. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform unauthorized administrative actions on the AVE DOMINAplus system if a logged-in user visits a malicious website. For example, attackers can enable or disable alarms, change temperature schedules, or inject arbitrary HTML and JavaScript code that executes in the victim's browser session. This can lead to loss of control over home automation functions, potential privacy breaches, and manipulation of system settings without user consent. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the affected AVE DOMINAplus system for suspicious or unauthorized administrative actions performed without proper authentication, especially requests targeting endpoints like /antitheft.php and /bridge.php with parameters controlling alarm activation and temperature schedules. Additionally, testing for reflected Cross-Site Scripting (XSS) can be done by sending crafted POST requests to login.php with malicious payloads in the 'User' and 'Password' parameters to see if the input is unsanitized and reflected back. Network detection can include capturing and analyzing HTTP traffic for such suspicious GET or POST requests. Specific commands are not provided in the resources, but using tools like curl or Burp Suite to send crafted requests and observe responses can help detect the vulnerability. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the affected AVE DOMINAplus system to trusted networks only, disabling remote administrative access if possible, and educating users to avoid visiting untrusted or malicious websites while logged into the system. Since the vendor did not respond to vulnerability reports and no patches are mentioned, applying network-level protections such as web application firewalls (WAF) to block suspicious requests targeting vulnerable endpoints (/antitheft.php, /bridge.php, login.php) can help. Additionally, monitoring and logging administrative actions for anomalies is recommended until a proper fix or update is available. [1, 2]