Smartwares HOME easy 1.0.9 contains an authentication bypass vulnerability that allows unauthenticated attackers to access administrative web pages by disabling JavaScript. Attackers can navigate to multiple administrative endpoints and to bypass client-side validation and access sensitive system information.
PUBLISHED5.2CWE-639
Smartwares HOME easy 1.0.9 Client-Side Authentication Bypass via Web Pages
Problem type
Affected products
Smartwares
Smartwares HOME easy
1.0.9 - AFFECTED
References
ExploitDB-47595
https://www.exploit-db.com/exploits/47595
Official Product Homepage
https://www.smartwares.eu
Zero Science Lab Disclosure (ZSL-2019-5540)
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5540.php
GitHub Security Advisories
GHSA-2gww-fh48-p92f
Smartwares HOME easy 1.0.9 contains an authentication bypass vulnerability that allows...
https://github.com/advisories/GHSA-2gww-fh48-p92fSmartwares HOME easy 1.0.9 contains an authentication bypass vulnerability that allows unauthenticated attackers to access administrative web pages by disabling JavaScript. Attackers can navigate to multiple administrative endpoints and to bypass client-side validation and access sensitive system information.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2019-25235Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2019-25235",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2025-12-24T20:23:58.323Z",
"dateReserved": "2025-12-24T14:27:12.475Z",
"datePublished": "2025-12-24T19:27:55.565Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2025-12-24T19:27:55.565Z"
},
"datePublic": "2019-11-05T00:00:00.000Z",
"title": "Smartwares HOME easy 1.0.9 Client-Side Authentication Bypass via Web Pages",
"descriptions": [
{
"lang": "en",
"value": "Smartwares HOME easy 1.0.9 contains an authentication bypass vulnerability that allows unauthenticated attackers to access administrative web pages by disabling JavaScript. Attackers can navigate to multiple administrative endpoints and to bypass client-side validation and access sensitive system information."
}
],
"affected": [
{
"vendor": "Smartwares",
"product": "Smartwares HOME easy",
"versions": [
{
"version": "1.0.9",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Authorization Bypass Through User-Controlled Key",
"cweId": "CWE-639",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.exploit-db.com/exploits/47595",
"name": "ExploitDB-47595",
"tags": [
"exploit"
]
},
{
"url": "https://www.smartwares.eu",
"name": "Official Product Homepage",
"tags": [
"product"
]
},
{
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5540.php",
"name": "Zero Science Lab Disclosure (ZSL-2019-5540)",
"tags": [
"third-party-advisory"
]
}
],
"metrics": [
{
"format": "CVSS"
},
{
"format": "CVSS",
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL"
}
}
],
"credits": [
{
"lang": "en",
"value": "LiquidWorm as Gjoko Krstic of Zero Science Lab",
"type": "finder"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2025-12-24T20:23:58.323Z"
},
"title": "CISA ADP Vulnrichment",
"references": [
{
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5540.php",
"tags": [
"exploit"
]
}
],
"metrics": [
{}
]
}
]
}
}