Zurück zur Übersicht

Miele: Vulnerability in ease2pay cloud service used by appWash

VDE-2022-052
Last update
21.11.2022 10:00
Published at
21.11.2022 10:00
Vendor(s)
Miele & Cie KG
External ID
VDE-2022-052
CSAF Document
Download

Summary

Up until October 5th, 2022 the ease2pay API used by Miele's "AppWash" MobileApp was vulnerable to an authorization bypass. A low privileged, remote attacker would have been able to gain read and partial write access to other users data by modifying a small part of a HTTP request sent to the API. Reading or changing the password of another user was not possible, thus no impact to Availability.

Impact

The evaluation of the log files by ease2pay did not show any sign of actual exploitation of the vulnerability, extraction of data or misuse.

Affected Product(s)

Model no. Product name Affected versions
appWash by Miele vers:all/* appWash by Miele vers:all/*

Vulnerabilities

Expand / Collapse all

Published
22.09.2025 14:58
Severity
8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Weakness
Authorization Bypass Through User-Controlled Key (CWE-639)
Summary

An API Endpoint used by Miele's "AppWash" MobileApp in all versions was vulnerable to an authorization bypass. A low privileged, remote attacker would have been able to gain read and partial write access to other users data by modifying a small part of a HTTP request sent to the API. Reading or changing the password of another user was not possible, thus no impact to Availability.

References
cve.org | nvd.nist.gov

Remediation

The ease2pay cloud service used by appWash was fixed on 05.10.2022. The tokens used for session authentication were changed to a secure state of the art solution. All affected tokens have been invalidated and new tokens were issued.
Therefore, no actions have to be taken by the users.

Revision History

Version Date Summary
1 21.11.2022 10:00 Initial revision.