Sign-up

ID

VAR-202009-1589


CVE

CVE-2020-16230


TITLE

HMS Networks Made Ewon Flexy and Ewon Cosy Cross-domain vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2020-008459

DESCRIPTION

All version of Ewon Flexy and Cosy prior to 14.1 use wildcards such as (*) under which domains can request resources. An attacker with local access and high privileges could inject scripts into the Cross-origin Resource Sharing (CORS) configuration that could abuse this vulnerability, allowing the attacker to retrieve limited confidential information through sniffing. HMS Networks Provided by the company Ewon Flexy and Ewon Cosy Is an industrial gateway product. The product is cross-domain using an unauthorized domain (CWE-942) Vulnerability exists. The product is a wild card (*) Can be used to request domain resources, so by a highly privileged local third party CORS (Cross-Origin Resource Sharing) Sensitive information can be stolen by inserting a specially crafted script into the configuration file of.Sensitive information can be stolen by a highly authorized local third party

Trust: 1.62

sources: NVD: CVE-2020-16230 // JVNDB: JVNDB-2020-008459

AFFECTED PRODUCTS

vendor:hmsmodel:ewon flexyscope:ltversion:14.1

Trust: 1.0

vendor:hmsmodel:ewon cosyscope:ltversion:14.1

Trust: 1.0

vendor:hms industrial abmodel:ewon cosyscope:eqversion:14.1 のすべて

Trust: 0.8

vendor:hms industrial abmodel:ewon flexyscope:eqversion:14.1 のすべて

Trust: 0.8

sources: JVNDB: JVNDB-2020-008459 // NVD: CVE-2020-16230

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-16230
value: LOW

Trust: 1.0

JPCERT/CC: JVNDB-2020-008459
value: LOW

Trust: 0.8

CNNVD: CNNVD-202009-665
value: LOW

Trust: 0.6

nvd@nist.gov: CVE-2020-16230
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

nvd@nist.gov: CVE-2020-16230
baseSeverity: LOW
baseScore: 2.3
vectorString: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 0.8
impactScore: 1.4
version: 3.1

Trust: 1.0

JPCERT/CC score: JVNDB-2020-008459
baseSeverity: LOW
baseScore: 2.3
vectorString: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2020-008459 // CNNVD: CNNVD-202009-665 // NVD: CVE-2020-16230

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2020-16230

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202009-665

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202009-665

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-008459

PATCH
title:All Downloads Firmwareurl:https://ewon.biz/technical-support/pages/all-downloads
Trust: 0.8
title:Fixes for cross-site request forgery vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=128109
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2020-008459 // 
            
            
            
            CNNVD: CNNVD-202009-665

EXTERNAL IDS
db:ICS CERTid:ICSA-20-254-03
Trust: 2.4
db:NVDid:CVE-2020-16230
Trust: 2.4
db:JVNid:JVNVU93260711
Trust: 0.8
db:JVNDBid:JVNDB-2020-008459
Trust: 0.8
db:ICS CERTid:ICSA-20-289-01
Trust: 0.6
db:AUSCERTid:ESB-2020.3143
Trust: 0.6
db:CNNVDid:CNNVD-202009-665
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2020-008459 // 
            
            
            
            CNNVD: CNNVD-202009-665 // 
            
            
            
            NVD: CVE-2020-16230

REFERENCES
url:https://us-cert.cisa.gov/ics/advisories/icsa-20-254-03
Trust: 3.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-16230
Trust: 0.8
url:http://jvn.jp/cert/jvnvu93260711
Trust: 0.8
url:https://us-cert.cisa.gov/ics/advisories/icsa-20-289-01
Trust: 0.6
url:https://nvd.nist.gov/vuln/detail/cve-2020-16230
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.3143/
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2020-008459 // 
            
            
            
            CNNVD: CNNVD-202009-665 // 
            
            
            
            NVD: CVE-2020-16230

SOURCES
db:JVNDBid:JVNDB-2020-008459
db:CNNVDid:CNNVD-202009-665
db:NVDid:CVE-2020-16230

LAST UPDATE DATE
2024-11-23T22:25:21.532000+00:00

SOURCES UPDATE DATE
db:JVNDBid:JVNDB-2020-008459date:2020-09-14T00:00:00
db:CNNVDid:CNNVD-202009-665date:2021-11-23T00:00:00
db:NVDid:CVE-2020-16230date:2024-11-21T05:06:59.127

SOURCES RELEASE DATE
db:JVNDBid:JVNDB-2020-008459date:2020-09-14T00:00:00
db:CNNVDid:CNNVD-202009-665date:2020-09-10T00:00:00
db:NVDid:CVE-2020-16230date:2020-09-18T19:15:16.153