VYPR
Vendor

Ewon

Products
3
CVEs
10
Across products
16
Status
Private

Products

3

Recent CVEs

10
  • CVE-2015-7926CriDec 23, 2015
    risk 0.65cvss 9.9epss 0.03

    eWON devices with firmware before 10.1s0 omit RBAC for I/O server information and status requests, which allows remote attackers to obtain sensitive information via an unspecified URL.

  • CVE-2015-7924HigDec 23, 2015
    risk 0.57cvss 8.8epss 0.02

    eWON devices with firmware before 10.1s0 do not trigger the discarding of browser session data in response to a log-off action, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.

  • CVE-2015-7928HigDec 23, 2015
    risk 0.56cvss 8.5epss 0.03

    eWON devices with firmware before 10.1s0 do not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.

  • CVE-2024-7755HigOct 17, 2024
    risk 0.53cvss 8.2epss 0.00

    The EWON FLEXY 202 transmits credentials using a weak encoding method base64. An attacker who is present in the network can sniff the traffic and decode the credentials.

  • CVE-2015-7925HigDec 23, 2015
    risk 0.52cvss 8.0epss 0.01

    Cross-site request forgery (CSRF) vulnerability on eWON devices with firmware through 10.1s0 allows remote attackers to hijack the authentication of administrators for requests that trigger firmware upload, removal of configuration data, or a reboot.

  • CVE-2019-25470HigMar 11, 2026
    risk 0.49cvss 7.5epss 0.00

    eWON Firmware versions 12.2 to 13.0 contain an authentication bypass vulnerability that allows attackers with minimal privileges to retrieve sensitive user data by exploiting the wsdReadForm endpoint. Attackers can send POST requests to /wrcgi.bin/wsdReadForm with base64-encoded…

  • CVE-2015-7927MedDec 23, 2015
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability on eWON devices with firmware through 10.1s0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2015-7929MedDec 23, 2015
    risk 0.28cvss 4.3epss 0.03

    eWON devices with firmware through 10.1s0 support unspecified GET requests, which might allow remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history.

  • CVE-2020-16230Sep 18, 2020
    risk 0.00cvss epss 0.00

    All version of Ewon Flexy and Cosy prior to 14.1 use wildcards such as (*) under which domains can request resources. An attacker with local access and high privileges could inject scripts into the Cross-origin Resource Sharing (CORS) configuration that could abuse this…

  • CVE-2020-10633Apr 8, 2020
    risk 0.00cvss epss 0.01

    A non-persistent XSS (cross-site scripting) vulnerability exists in eWON Flexy and Cosy (all firmware versions prior to 14.1s0). An attacker could send a specially crafted URL to initiate a password change for the device. The target must introduce the credentials to the gateway…