PT-2020-12259 · Ewon · Ewon Flexy+1
Published
2020-04-08
·
Updated
2020-04-08
·
CVE-2020-10633
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
eWON Flexy and Cosy versions prior to 14.1s0
Description
A non-persistent XSS (cross-site scripting) issue exists, allowing an attacker to send a specially crafted URL to initiate a password change for the device. The target must introduce the credentials to the gateway before the attack can be successful.
Recommendations
For versions prior to 14.1s0, update to version 14.1s0 or later to resolve the issue. As a temporary workaround, consider restricting access to the device's password change functionality until a patch is available. Avoid using the device's password change feature via a URL until the issue is resolved.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ewon Cosy
Ewon Flexy