Details of VAR-201512-0017

ID

VAR-201512-0017

CVE

CVE-2015-7924

TITLE

eWON Vulnerability to gain access rights in device firmware

Trust: 0.8

sources: JVNDB: JVNDB-2015-006504

DESCRIPTION

eWON devices with firmware before 10.1s0 do not trigger the discarding of browser session data in response to a log-off action, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. Supplementary information : CWE Vulnerability type by CWE-613: Insufficient Session Expiration ( Incorrect session deadline ) Has been identified. https://cwe.mitre.org/data/definitions/613.htmlA third party may gain access by using an unattended workstation. eWON is an industrial router product of the Belgian eWON company. An attacker could exploit the vulnerability to interact with the device using the same session. eWON are prone to the following security vulnerabilities: 1. A cross-site request forgery vulnerability 3. Unauthorized Access Vulnerability 4. HTML-injection vulnerability 5. Plain text password information disclosure vulnerability 6. A security weakness An attacker can exploit these issues to bypass the authentication mechanism and gain unauthorized access, execute attacker-supplied HTML or JavaScript code in the context of the affected site, steal cookie-based authentication credentials, obtain sensitive information, and perform certain unauthorized actions. This may aid in further attacks. There is a security vulnerability in eWON using firmware 10.0s0 and earlier versions

Trust: 2.61

sources: NVD: CVE-2015-7924 // JVNDB: JVNDB-2015-006504 // CNVD: CNVD-2015-08450 // BID: 79625 // VULHUB: VHN-85885 // VULMON: CVE-2015-7924

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2015-08450

AFFECTED PRODUCTS

vendor:	ewon	model:	ewon	scope:	lte	version:	10.0s0	Trust: 1.0
vendor:	ewon	model:	ewon	scope:	lt	version:	10.1s0	Trust: 0.8
vendor:	ewon	model:	<10.1s0	scope:	-	version:	-	Trust: 0.6
vendor:	ewon	model:	ewon	scope:	eq	version:	10.0s0	Trust: 0.6
vendor:	ewon	model:	ewon	scope:	eq	version:	0	Trust: 0.3
vendor:	ewon	model:	10.1s0	scope:	ne	version:	-	Trust: 0.3

sources: CNVD: CNVD-2015-08450 // BID: 79625 // JVNDB: JVNDB-2015-006504 // CNNVD: CNNVD-201512-546 // NVD: CVE-2015-7924

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-7924
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-7924
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2015-08450
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201512-546
value:	HIGH
Trust: 0.6
VULHUB:	VHN-85885
value:	HIGH
Trust: 0.1
VULMON:	CVE-2015-7924
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-7924
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2015-08450
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-85885
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2015-7924
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.0

sources: CNVD: CNVD-2015-08450 // VULHUB: VHN-85885 // VULMON: CVE-2015-7924 // JVNDB: JVNDB-2015-006504 // CNNVD: CNNVD-201512-546 // NVD: CVE-2015-7924

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-Other	Trust: 0.8

sources: JVNDB: JVNDB-2015-006504 // NVD: CVE-2015-7924

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201512-546

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201512-546

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-006504

PATCH

title:	eWON Security Enhancement (FW 10.1s0)	url:	http://ewon.biz/support/news/support/ewon-security-enhancement-7529-01	Trust: 0.8
title:	Patch for eWON weak session management vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/68894	Trust: 0.6
title:	eWON Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=59313	Trust: 0.6

sources: CNVD: CNVD-2015-08450 // JVNDB: JVNDB-2015-006504 // CNNVD: CNNVD-201512-546

EXTERNAL IDS

db:	NVD	id:	CVE-2015-7924	Trust: 3.5
db:	ICS CERT	id:	ICSA-15-351-03	Trust: 2.9
db:	BID	id:	79625	Trust: 2.7
db:	JVNDB	id:	JVNDB-2015-006504	Trust: 0.8
db:	CNNVD	id:	CNNVD-201512-546	Trust: 0.7
db:	CNVD	id:	CNVD-2015-08450	Trust: 0.6
db:	VULHUB	id:	VHN-85885	Trust: 0.1
db:	VULMON	id:	CVE-2015-7924	Trust: 0.1

sources: CNVD: CNVD-2015-08450 // VULHUB: VHN-85885 // VULMON: CVE-2015-7924 // BID: 79625 // JVNDB: JVNDB-2015-006504 // CNNVD: CNNVD-201512-546 // NVD: CVE-2015-7924

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-15-351-03	Trust: 3.0
url:	http://www.securityfocus.com/bid/79625	Trust: 2.4
url:	http://ewon.biz/support/news/support/ewon-security-enhancement-7529-01	Trust: 1.8
url:	http://seclists.org/fulldisclosure/2015/dec/118	Trust: 1.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7924	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7924	Trust: 0.8
url:	http://ewon.biz	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2015-08450 // VULHUB: VHN-85885 // VULMON: CVE-2015-7924 // BID: 79625 // JVNDB: JVNDB-2015-006504 // CNNVD: CNNVD-201512-546 // NVD: CVE-2015-7924

CREDITS

Karn Ganeshen

Trust: 0.9

sources: BID: 79625 // CNNVD: CNNVD-201512-546

SOURCES

db:	CNVD	id:	CNVD-2015-08450
db:	VULHUB	id:	VHN-85885
db:	VULMON	id:	CVE-2015-7924
db:	BID	id:	79625
db:	JVNDB	id:	JVNDB-2015-006504
db:	CNNVD	id:	CNNVD-201512-546
db:	NVD	id:	CVE-2015-7924

LAST UPDATE DATE

2025-04-13T23:14:24.038000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-08450	date:	2015-12-24T00:00:00
db:	VULHUB	id:	VHN-85885	date:	2016-12-07T00:00:00
db:	VULMON	id:	CVE-2015-7924	date:	2016-12-07T00:00:00
db:	BID	id:	79625	date:	2015-12-17T00:00:00
db:	JVNDB	id:	JVNDB-2015-006504	date:	2015-12-24T00:00:00
db:	CNNVD	id:	CNNVD-201512-546	date:	2015-12-24T00:00:00
db:	NVD	id:	CVE-2015-7924	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2015-08450	date:	2015-12-24T00:00:00
db:	VULHUB	id:	VHN-85885	date:	2015-12-23T00:00:00
db:	VULMON	id:	CVE-2015-7924	date:	2015-12-23T00:00:00
db:	BID	id:	79625	date:	2015-12-17T00:00:00
db:	JVNDB	id:	JVNDB-2015-006504	date:	2015-12-24T00:00:00
db:	CNNVD	id:	CNNVD-201512-546	date:	2015-12-21T00:00:00
db:	NVD	id:	CVE-2015-7924	date:	2015-12-23T11:59:00.127