PT-2024-25532 · Cosy+ · Cosy+
Published
2024-08-02
·
Updated
2024-09-03
·
CVE-2024-33895
CVSS v3.1
6.6
Medium
| Vector | AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Cosy+ devices versions 21.x below 21.2s10
Cosy+ devices versions 22.x below 22.1s3
Description
The issue concerns the use of a unique key for encrypting configuration parameters in Cosy+ devices. This key is not unique per device in affected versions, which poses a security risk. The problem is fixed in versions 21.2s10 and 22.1s3, where the key is now unique per device.
Recommendations
For Cosy+ devices versions 21.x below 21.2s10, update to version 21.2s10 to fix the issue.
For Cosy+ devices versions 22.x below 22.1s3, update to version 22.1s3 to fix the issue.
Exploit
Fix
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cosy+