A vulnerability in SenseLive X3050's web management interface allows state-changing operations to be triggered without proper Cross-Site Request Forgery (CSRF) protections. Because the application does not enforce server-side validation of request origin or implement CSRF tokens, a malicious external webpage could cause a user's browser to submit unauthorized configuration requests to the device.
SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact