Heatmiser Wifi Thermostat Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in the Heatmiser Wifi Thermostat version 1.7. This vulnerability allows attackers to change administrator credentials by deceiving authenticated users into submitting malicious requests. Exploitation involves crafting HTML forms that target the 'networkSetup.htm' endpoint, using specific parameters to alter the admin username and password without the user's consent.

Impact

Exploitation of this vulnerability allows for unauthorized modification of admin credentials on the affected thermostat.

Reproduction

To reproduce this vulnerability, an attacker must create an HTML form that includes the 'usnm', 'usps', and 'cfps' parameters. This form should be directed to the 'networkSetup.htm' endpoint. When an authenticated user is tricked into submitting this form, the admin username and password will be changed without their knowledge.