{"id":"CVE-2019-18938","details":"eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the E-Mail AddOn through 1.6.8.c installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the save.cgi script for payload upload and the testtcl.cgi script for its execution.","modified":"2026-03-14T09:34:49.864549Z","published":"2019-11-14T19:15:13.347Z","references":[{"type":"EVIDENCE","url":"https://psytester.github.io/CVE-2019-18938/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jens-maus/hm_email","events":[{"introduced":"0"},{"last_affected":"b2327178341aff5bbc264931e3c41ca3de1a8aea"},{"introduced":"0"},{"last_affected":"b2327178341aff5bbc264931e3c41ca3de1a8aea"},{"introduced":"0"},{"last_affected":"b2327178341aff5bbc264931e3c41ca3de1a8aea"},{"introduced":"0"},{"last_affected":"b2327178341aff5bbc264931e3c41ca3de1a8aea"},{"introduced":"0"},{"last_affected":"e2a2df3de1e8ec78aa2c7e39f70448ce43e67011"},{"introduced":"0"},{"last_affected":"e2a2df3de1e8ec78aa2c7e39f70448ce43e67011"},{"introduced":"0"},{"last_affected":"e2a2df3de1e8ec78aa2c7e39f70448ce43e67011"},{"introduced":"0"},{"last_affected":"e2a2df3de1e8ec78aa2c7e39f70448ce43e67011"},{"introduced":"0"},{"last_affected":"c0607989a335a9da896e4a91cfedeb1b3579ab60"},{"introduced":"0"},{"last_affected":"414964fe0bac923c60029349b835a65ec75dbd06"},{"introduced":"0"},{"last_affected":"ba7d242481155c6cfc9ce5e37859f62dfec723f8"},{"introduced":"0"},{"last_affected":"dfc359b0575431909cebc1ecf29b7488d8f3f4fd"},{"introduced":"0"},{"last_affected":"005668dd56ff9cc6cc295f7ef73891a591cfbd15"},{"introduced":"0"},{"last_affected":"52e718c730c1cb4ce1a97c547ed670a9c121d8bc"},{"introduced":"0"},{"last_affected":"b2327178341aff5bbc264931e3c41ca3de1a8aea"},{"introduced":"0"},{"last_affected":"b2327178341aff5bbc264931e3c41ca3de1a8aea"},{"introduced":"0"},{"last_affected":"b2327178341aff5bbc264931e3c41ca3de1a8aea"},{"introduced":"0"},{"last_affected":"b2327178341aff5bbc264931e3c41ca3de1a8aea"},{"introduced":"0"},{"last_affected":"e2a2df3de1e8ec78aa2c7e39f70448ce43e67011"},{"introduced":"0"},{"last_affected":"e2a2df3de1e8ec78aa2c7e39f70448ce43e67011"},{"introduced":"0"},{"last_affected":"e2a2df3de1e8ec78aa2c7e39f70448ce43e67011"},{"introduced":"0"},{"last_affected":"e2a2df3de1e8ec78aa2c7e39f70448ce43e67011"},{"introduced":"0"},{"last_affected":"c0607989a335a9da896e4a91cfedeb1b3579ab60"},{"introduced":"0"},{"last_affected":"414964fe0bac923c60029349b835a65ec75dbd06"},{"introduced":"0"},{"last_affected":"ba7d242481155c6cfc9ce5e37859f62dfec723f8"},{"introduced":"0"},{"last_affected":"dfc359b0575431909cebc1ecf29b7488d8f3f4fd"},{"introduced":"0"},{"last_affected":"005668dd56ff9cc6cc295f7ef73891a591cfbd15"},{"introduced":"0"},{"last_affected":"52e718c730c1cb4ce1a97c547ed670a9c121d8bc"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.6.8c"},{"introduced":"0"},{"last_affected":"1.6.8c"},{"introduced":"0"},{"last_affected":"1.6.8b"},{"introduced":"0"},{"last_affected":"1.6.8a"},{"introduced":"0"},{"last_affected":"1.6.7c"},{"introduced":"0"},{"last_affected":"1.6.7b"},{"introduced":"0"},{"last_affected":"1.6.7a"},{"introduced":"0"},{"last_affected":"1.6.7"},{"introduced":"0"},{"last_affected":"1.6.6"},{"introduced":"0"},{"last_affected":"1.6.5"},{"introduced":"0"},{"last_affected":"1.6.4"},{"introduced":"0"},{"last_affected":"1.6.3"},{"introduced":"0"},{"last_affected":"1.6.2"},{"introduced":"0"},{"last_affected":"1.6.0"},{"introduced":"0"},{"last_affected":"1.6.8"},{"introduced":"0"},{"last_affected":"1.6.8b"},{"introduced":"0"},{"last_affected":"1.6.8a"},{"introduced":"0"},{"last_affected":"1.6.8"},{"introduced":"0"},{"last_affected":"1.6.7c"},{"introduced":"0"},{"last_affected":"1.6.7b"},{"introduced":"0"},{"last_affected":"1.6.7a"},{"introduced":"0"},{"last_affected":"1.6.7"},{"introduced":"0"},{"last_affected":"1.6.6"},{"introduced":"0"},{"last_affected":"1.6.5"},{"introduced":"0"},{"last_affected":"1.6.4"},{"introduced":"0"},{"last_affected":"1.6.3"},{"introduced":"0"},{"last_affected":"1.6.2"},{"introduced":"0"},{"last_affected":"1.6.0"}]}}],"versions":["1.6.0","1.6.2","1.6.3","1.6.4","1.6.5","1.6.6","1.6.7","1.6.7a","1.6.7b","1.6.7c","1.6.8","1.6.8a","1.6.8b","1.6.8c"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18938.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"2.24.20"}]},{"events":[{"introduced":"0"},{"last_affected":"3.47.18"}]},{"events":[{"introduced":"0"},{"last_affected":"2.24.20"}]},{"events":[{"introduced":"0"},{"last_affected":"2.24.20"}]},{"events":[{"introduced":"0"},{"last_affected":"2.24.20"}]},{"events":[{"introduced":"0"},{"last_affected":"2.24.20"}]},{"events":[{"introduced":"0"},{"last_affected":"2.24.20"}]},{"events":[{"introduced":"0"},{"last_affected":"2.24.20"}]},{"events":[{"introduced":"0"},{"last_affected":"2.24.20"}]},{"events":[{"introduced":"0"},{"last_affected":"2.24.20"}]},{"events":[{"introduced":"0"},{"last_affected":"2.24.20"}]},{"events":[{"introduced":"0"},{"last_affected":"2.24.20"}]},{"events":[{"introduced":"0"},{"last_affected":"2.24.20"}]},{"events":[{"introduced":"0"},{"last_affected":"2.24.20"}]},{"events":[{"introduced":"0"},{"last_affected":"2.24.20"}]},{"events":[{"introduced":"0"},{"last_affected":"3.47.18"}]},{"events":[{"introduced":"0"},{"last_affected":"3.47.18"}]},{"events":[{"introduced":"0"},{"last_affected":"3.47.18"}]},{"events":[{"introduced":"0"},{"last_affected":"3.47.18"}]},{"events":[{"introduced":"0"},{"last_affected":"3.47.18"}]},{"events":[{"introduced":"0"},{"last_affected":"3.47.18"}]},{"events":[{"introduced":"0"},{"last_affected":"3.47.18"}]},{"events":[{"introduced":"0"},{"last_affected":"3.47.18"}]},{"events":[{"introduced":"0"},{"last_affected":"3.47.18"}]},{"events":[{"introduced":"0"},{"last_affected":"3.47.18"}]},{"events":[{"introduced":"0"},{"last_affected":"3.47.18"}]},{"events":[{"introduced":"0"},{"last_affected":"3.47.18"}]},{"events":[{"introduced":"0"},{"last_affected":"3.47.18"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}