Sign-up

ID

VAR-202004-0054


CVE

CVE-2020-10633


TITLE

eWON Flexy and Cosy Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-003872

DESCRIPTION

A non-persistent XSS (cross-site scripting) vulnerability exists in eWON Flexy and Cosy (all firmware versions prior to 14.1s0). An attacker could send a specially crafted URL to initiate a password change for the device. The target must introduce the credentials to the gateway before the attack can be successful. HMS Networks eWON Flexy and HMS Networks eWON Cosy are products of Swedish HMS Networks. HMS Networks eWON Flexy is an industrial VPN router. HMS Networks eWON Cosy is a gateway product for remote access. The vulnerability stems from the lack of proper verification of client data by WEB applications. Attackers can use this vulnerability to execute client code

Trust: 2.16

sources: NVD: CVE-2020-10633 // JVNDB: JVNDB-2020-003872 // CNVD: CNVD-2020-35484

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-35484

AFFECTED PRODUCTS

vendor:hmsmodel:ewon cosyscope:ltversion:14.1s0

Trust: 1.0

vendor:hmsmodel:ewon flexyscope:ltversion:14.1s0

Trust: 1.0

vendor:hms industrial abmodel:ewon cosyscope:eqversion:14.1s0

Trust: 0.8

vendor:hms industrial abmodel:ewon flexyscope:eqversion:14.1s0

Trust: 0.8

vendor:hmsmodel:networks ewon flexy <14.1s0scope: - version: -

Trust: 0.6

vendor:hmsmodel:networks ewon cosy <14.1s0scope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2020-35484 // JVNDB: JVNDB-2020-003872 // NVD: CVE-2020-10633

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-10633
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-003872
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2020-35484
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202004-376
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2020-10633
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-003872
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-35484
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-10633
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-003872
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-35484 // JVNDB: JVNDB-2020-003872 // CNNVD: CNNVD-202004-376 // NVD: CVE-2020-10633

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2020-003872 // NVD: CVE-2020-10633

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-376

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202004-376

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-003872

PATCH
title:Top Pageurl:https://www.netbiter.com/home
Trust: 0.8
title:Patch for HMS Networks eWON Flexy and eWON Cosy cross-site scripting vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/224003
Trust: 0.6
title:HMS Networks eWON Flexy  and eWON Cosy Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=115596
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-35484 // 
            
            
            
            JVNDB: JVNDB-2020-003872 // 
            
            
            
            CNNVD: CNNVD-202004-376

EXTERNAL IDS
db:ICS CERTid:ICSA-20-098-03
Trust: 3.0
db:NVDid:CVE-2020-10633
Trust: 3.0
db:JVNDBid:JVNDB-2020-003872
Trust: 0.8
db:CNVDid:CNVD-2020-35484
Trust: 0.6
db:NSFOCUSid:47764
Trust: 0.6
db:AUSCERTid:ESB-2020.1253
Trust: 0.6
db:CNNVDid:CNNVD-202004-376
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-35484 // 
            
            
            
            JVNDB: JVNDB-2020-003872 // 
            
            
            
            CNNVD: CNNVD-202004-376 // 
            
            
            
            NVD: CVE-2020-10633

REFERENCES
url:https://www.us-cert.gov/ics/advisories/icsa-20-098-03
Trust: 3.0
url:https://nvd.nist.gov/vuln/detail/cve-2020-10633
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10633
Trust: 0.8
url:http://www.nsfocus.net/vulndb/47764
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.1253/
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-35484 // 
            
            
            
            JVNDB: JVNDB-2020-003872 // 
            
            
            
            CNNVD: CNNVD-202004-376 // 
            
            
            
            NVD: CVE-2020-10633

SOURCES
db:CNVDid:CNVD-2020-35484
db:JVNDBid:JVNDB-2020-003872
db:CNNVDid:CNNVD-202004-376
db:NVDid:CVE-2020-10633

LAST UPDATE DATE
2024-11-23T21:51:36.327000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-35484date:2020-07-01T00:00:00
db:JVNDBid:JVNDB-2020-003872date:2020-04-27T00:00:00
db:CNNVDid:CNNVD-202004-376date:2020-08-14T00:00:00
db:NVDid:CVE-2020-10633date:2024-11-21T04:55:44.407

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-35484date:2020-07-01T00:00:00
db:JVNDBid:JVNDB-2020-003872date:2020-04-27T00:00:00
db:CNNVDid:CNNVD-202004-376date:2020-04-07T00:00:00
db:NVDid:CVE-2020-10633date:2020-04-08T01:15:11.953