CVE-2020-16230 - All version of Ewon Flexy and Cosy prior to 14.1 use wildcards such as (*) under which domains can r

CVE-2020-16230

Summary

All version of Ewon Flexy and Cosy prior to 14.1 use wildcards such as (*) under which domains can request resources. An attacker with local access and high privileges could inject scripts into the Cross-origin Resource Sharing (CORS) configuration that could abuse this vulnerability, allowing the attacker to retrieve limited confidential information through sniffing.

References

https://us-cert.cisa.gov/ics/advisories/icsa-20-254-03

Vulnerable Configurations

cpe:2.3:o:hms-networks:ewon_flexy_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:hms-networks:ewon_flexy_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:hms-networks:ewon_flexy:-:*:*:*:*:*:*:*
cpe:2.3:h:hms-networks:ewon_flexy:-:*:*:*:*:*:*:*
cpe:2.3:o:hms-networks:ewon_cosy_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:hms-networks:ewon_cosy_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:hms-networks:ewon_cosy:-:*:*:*:*:*:*:*
cpe:2.3:h:hms-networks:ewon_cosy:-:*:*:*:*:*:*:*

CVSS

Base:	2.1 (as of 22-11-2021 - 16:25)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
LOCAL	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:L/AC:L/Au:N/C:P/I:N/A:N

refmap via4

misc

https://us-cert.cisa.gov/ics/advisories/icsa-20-289-01

Last major update

22-11-2021 - 16:25

Published

18-09-2020 - 19:15

Last modified

22-11-2021 - 16:25