Vulnerability Description
All version of Ewon Flexy and Cosy prior to 14.1 use wildcards such as (*) under which domains can request resources. An attacker with local access and high privileges could inject scripts into the Cross-origin Resource Sharing (CORS) configuration that could abuse this vulnerability, allowing the attacker to retrieve limited confidential information through sniffing.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hms-Networks | Ewon Flexy Firmware | < 14.1 |
| Hms-Networks | Ewon Flexy | - |
| Hms-Networks | Ewon Cosy Firmware | < 14.1 |
| Hms-Networks | Ewon Cosy | - |
References
- https://us-cert.cisa.gov/ics/advisories/icsa-20-254-03Third Party AdvisoryUS Government Resource
- https://us-cert.cisa.gov/ics/advisories/icsa-20-254-03Third Party AdvisoryUS Government Resource
FAQ
What is CVE-2020-16230?
CVE-2020-16230 is a vulnerability with a CVSS score of 2.3 (LOW). All version of Ewon Flexy and Cosy prior to 14.1 use wildcards such as (*) under which domains can request resources. An attacker with local access and high privileges could inject scripts into the Cr...
How severe is CVE-2020-16230?
CVE-2020-16230 has been rated LOW with a CVSS base score of 2.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-16230?
Check the references section above for vendor advisories and patch information. Affected products include: Hms-Networks Ewon Flexy Firmware, Hms-Networks Ewon Flexy, Hms-Networks Ewon Cosy Firmware, Hms-Networks Ewon Cosy.