CVE-2019-25233
Unknown Unknown - Not Provided
CSRF and XSS in AVE DOMINAplus 1.10.x Enable Admin Takeover

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: VulnCheck

Description
AVE DOMINAplus 1.10.x contains cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to exploit login.php parameters and execute arbitrary scripts in user browser sessions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-06-16
AI Q&A
2025-12-24
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25233
EUVD
EUVD-2025-205318
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
ave domina_plus 1.10
ave touch_screen_code_ts01 1.0.65
ave touch_screen_code_ts03x-v 1.10.45a
apache http_server 2.2.22
ave web_server_code 1.10.62
ave touch_screen_code_ts05 1.10.36
php php 5.4.41
apache http_server 2.4.7
php php 5.5.9
php php 5.4.36
ave domina 1.10.x
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2019-25233 affects AVE DOMINAplus 1.10.x, an advanced home automation system. It contains Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) vulnerabilities. Attackers can craft malicious web pages that exploit the login.php parameters and other HTTP requests to perform unauthorized administrative actions without user consent. The system fails to validate the authenticity of requests and does not properly sanitize input parameters, allowing attackers to execute arbitrary scripts in the context of a logged-in user's browser session. [1, 2]

Impact Analysis

This vulnerability can allow attackers to perform unauthorized administrative actions on the AVE DOMINAplus system if a logged-in user visits a malicious website. For example, attackers can enable or disable alarms, change temperature schedules, or inject arbitrary HTML and JavaScript code that executes in the victim's browser session. This can lead to loss of control over home automation functions, potential privacy breaches, and manipulation of system settings without user consent. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the affected AVE DOMINAplus system for suspicious or unauthorized administrative actions performed without proper authentication, especially requests targeting endpoints like /antitheft.php and /bridge.php with parameters controlling alarm activation and temperature schedules. Additionally, testing for reflected Cross-Site Scripting (XSS) can be done by sending crafted POST requests to login.php with malicious payloads in the 'User' and 'Password' parameters to see if the input is unsanitized and reflected back. Network detection can include capturing and analyzing HTTP traffic for such suspicious GET or POST requests. Specific commands are not provided in the resources, but using tools like curl or Burp Suite to send crafted requests and observe responses can help detect the vulnerability. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the affected AVE DOMINAplus system to trusted networks only, disabling remote administrative access if possible, and educating users to avoid visiting untrusted or malicious websites while logged into the system. Since the vendor did not respond to vulnerability reports and no patches are mentioned, applying network-level protections such as web application firewalls (WAF) to block suspicious requests targeting vulnerable endpoints (/antitheft.php, /bridge.php, login.php) can help. Additionally, monitoring and logging administrative actions for anomalies is recommended until a proper fix or update is available. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25233. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart