CVSS: 2.3EPSS: 0%CPEs: 4EXPL: 0CVE-2020-16230
https://notcve.org/view.php?id=CVE-2020-16230
18 Sep 2020 — All version of Ewon Flexy and Cosy prior to 14.1 use wildcards such as (*) under which domains can request resources. An attacker with local access and high privileges could inject scripts into the Cross-origin Resource Sharing (CORS) configuration that could abuse this vulnerability, allowing the attacker to retrieve limited confidential information through sniffing. Todas las versiones de Ewon Flexy Cozy versiones anteriores a la 14.1, usan comodines tales como (*) bajo los cuales los dominios pueden soli... • https://us-cert.cisa.gov/ics/advisories/icsa-20-254-03 •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2020-10633
https://notcve.org/view.php?id=CVE-2020-10633
08 Apr 2020 — A non-persistent XSS (cross-site scripting) vulnerability exists in eWON Flexy and Cosy (all firmware versions prior to 14.1s0). An attacker could send a specially crafted URL to initiate a password change for the device. The target must introduce the credentials to the gateway before the attack can be successful. Se presenta una vulnerabilidad de tipo XSS (cross-site scripting) no persistente en eWON Flexy y Cozy (todas las versiones de firmware anteriores a 14.1s0). Un atacante podría enviar una URL espec... • https://www.us-cert.gov/ics/advisories/icsa-20-098-03 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •