VAR-202004-0054
Vulnerability from variot - Updated: 2023-12-18 11:58A non-persistent XSS (cross-site scripting) vulnerability exists in eWON Flexy and Cosy (all firmware versions prior to 14.1s0). An attacker could send a specially crafted URL to initiate a password change for the device. The target must introduce the credentials to the gateway before the attack can be successful. HMS Networks eWON Flexy and HMS Networks eWON Cosy are products of Swedish HMS Networks. HMS Networks eWON Flexy is an industrial VPN router. HMS Networks eWON Cosy is a gateway product for remote access. The vulnerability stems from the lack of proper verification of client data by WEB applications. Attackers can use this vulnerability to execute client code
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202004-0054",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "ewon cosy",
"scope": "lt",
"trust": 1.0,
"vendor": "hms",
"version": "14.1s0"
},
{
"model": "ewon flexy",
"scope": "lt",
"trust": 1.0,
"vendor": "hms",
"version": "14.1s0"
},
{
"model": "ewon cosy",
"scope": "eq",
"trust": 0.8,
"vendor": "hms industrial ab",
"version": "14.1s0"
},
{
"model": "ewon flexy",
"scope": "eq",
"trust": 0.8,
"vendor": "hms industrial ab",
"version": "14.1s0"
},
{
"model": "networks ewon flexy \u003c14.1s0",
"scope": null,
"trust": 0.6,
"vendor": "hms",
"version": null
},
{
"model": "networks ewon cosy \u003c14.1s0",
"scope": null,
"trust": 0.6,
"vendor": "hms",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-35484"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003872"
},
{
"db": "NVD",
"id": "CVE-2020-10633"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:hms-networks:ewon_flexy_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "14.1s0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:hms-networks:ewon_flexy:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:hms-networks:ewon_cosy_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "14.1s0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:hms-networks:ewon_cosy:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-10633"
}
]
},
"cve": "CVE-2020-10633",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-003872",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CNVD-2020-35484",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "JVNDB-2020-003872",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2020-10633",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "JVNDB-2020-003872",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2020-35484",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202004-376",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-35484"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003872"
},
{
"db": "NVD",
"id": "CVE-2020-10633"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-376"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A non-persistent XSS (cross-site scripting) vulnerability exists in eWON Flexy and Cosy (all firmware versions prior to 14.1s0). An attacker could send a specially crafted URL to initiate a password change for the device. The target must introduce the credentials to the gateway before the attack can be successful. HMS Networks eWON Flexy and HMS Networks eWON Cosy are products of Swedish HMS Networks. HMS Networks eWON Flexy is an industrial VPN router. HMS Networks eWON Cosy is a gateway product for remote access. The vulnerability stems from the lack of proper verification of client data by WEB applications. Attackers can use this vulnerability to execute client code",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-10633"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003872"
},
{
"db": "CNVD",
"id": "CNVD-2020-35484"
}
],
"trust": 2.16
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "ICS CERT",
"id": "ICSA-20-098-03",
"trust": 3.0
},
{
"db": "NVD",
"id": "CVE-2020-10633",
"trust": 3.0
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003872",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2020-35484",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "47764",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1253",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202004-376",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-35484"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003872"
},
{
"db": "NVD",
"id": "CVE-2020-10633"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-376"
}
]
},
"id": "VAR-202004-0054",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-35484"
}
],
"trust": 1.4214285666666666
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-35484"
}
]
},
"last_update_date": "2023-12-18T11:58:32.603000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.netbiter.com/home"
},
{
"title": "Patch for HMS Networks eWON Flexy and eWON Cosy cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/224003"
},
{
"title": "HMS Networks eWON Flexy and eWON Cosy Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=115596"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-35484"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003872"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-376"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003872"
},
{
"db": "NVD",
"id": "CVE-2020-10633"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.0,
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-098-03"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10633"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10633"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/47764"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1253/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-35484"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003872"
},
{
"db": "NVD",
"id": "CVE-2020-10633"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-376"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2020-35484"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003872"
},
{
"db": "NVD",
"id": "CVE-2020-10633"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-376"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-07-01T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-35484"
},
{
"date": "2020-04-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-003872"
},
{
"date": "2020-04-08T01:15:11.953000",
"db": "NVD",
"id": "CVE-2020-10633"
},
{
"date": "2020-04-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-376"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-07-01T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-35484"
},
{
"date": "2020-04-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-003872"
},
{
"date": "2020-04-08T20:51:49.277000",
"db": "NVD",
"id": "CVE-2020-10633"
},
{
"date": "2020-08-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-376"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-376"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "eWON Flexy and Cosy Cross-site scripting vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003872"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-376"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…