CVE-2019-25234
Unknown Unknown - Not Provided
Cross-Site Scripting and CSRF in SmartHouse Webapp

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: VulnCheck

Description
SmartHouse Webapp 6.5.33 contains multiple cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform unauthorized actions. Attackers can exploit these vulnerabilities by tricking logged-in users into visiting malicious websites or injecting malicious scripts into various application parameters.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-06-16
AI Q&A
2025-12-24
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25234
EUVD
EUVD-2025-205314
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
carlo_gavazzi smarthouse_webapp 5.3.3
carlo_gavazzi smarthouse_webapp 5.5.3
carlo_gavazzi smarthouse_webapp 6.2.3
carlo_gavazzi smarthouse_webapp 6.5.32
carlo_gavazzi smarthouse_webapp 6.5.33
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in SmartHouse Webapp 6.5.33 involves multiple cross-site request forgery (CSRF) and cross-site scripting (XSS) issues. Attackers can exploit these by tricking logged-in users into visiting malicious websites or injecting malicious scripts into application parameters. CSRF allows unauthorized state-changing actions without verifying request origin, such as changing heating settings. XSS vulnerabilities include reflected and stored types, where malicious scripts can be injected and executed in the victim's browser, compromising user sessions and system integrity. [2]

Impact Analysis

This vulnerability can allow attackers to perform unauthorized administrative actions on the SmartHouse Webapp by exploiting CSRF, potentially changing system settings without user consent. Additionally, XSS vulnerabilities enable attackers to inject and execute arbitrary scripts in users' browsers, which can lead to session hijacking, data theft, or further compromise of the system's integrity. [2]

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious HTTP POST requests to endpoints such as /app/datasend.php that change state (e.g., setting heating parameters). Additionally, checking for reflected or stored XSS attempts by inspecting parameters like error, msg, p, l, f, name, grpl, and param[0][] in HTTP requests and responses can help detect exploitation attempts. Commands such as using curl or wget to simulate POST requests to /app/datasend.php with parameters like heat_set can help verify if CSRF protections are missing. For example: curl -X POST -d 'heat_set=25.5' http://target/app/datasend.php. Also, intercepting and analyzing HTTP traffic with tools like Burp Suite or OWASP ZAP can help detect malicious script injections or unauthorized actions. [2]

Mitigation Strategies

Immediate mitigation steps include implementing proper CSRF protections such as adding CSRF tokens to all state-changing requests to verify the legitimacy of the request origin. Input validation and sanitization should be enforced on all parameters to prevent XSS attacks, especially on parameters like error, msg, p, l, f, name, grpl, and param[0][]. Restricting or validating user input and applying output encoding can reduce the risk of script injection. Additionally, updating to a fixed or patched version of the SmartHouse Webapp, if available, is recommended. In the meantime, restricting access to the web application to trusted networks and educating users to avoid clicking on suspicious links can help reduce exploitation risk. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25234. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart