Ewon
Products
3- 7 CVEs
- 6 CVEs
- 3 CVEs
Recent CVEs
10| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-7926 | Cri | 0.65 | 9.9 | 0.03 | Dec 23, 2015 | eWON devices with firmware before 10.1s0 omit RBAC for I/O server information and status requests, which allows remote attackers to obtain sensitive information via an unspecified URL. | ||
| CVE-2015-7924 | Hig | 0.57 | 8.8 | 0.02 | Dec 23, 2015 | eWON devices with firmware before 10.1s0 do not trigger the discarding of browser session data in response to a log-off action, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. | ||
| CVE-2015-7928 | Hig | 0.56 | 8.5 | 0.03 | Dec 23, 2015 | eWON devices with firmware before 10.1s0 do not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. | ||
| CVE-2024-7755 | Hig | 0.53 | 8.2 | 0.00 | Oct 17, 2024 | The EWON FLEXY 202 transmits credentials using a weak encoding method base64. An attacker who is present in the network can sniff the traffic and decode the credentials. | ||
| CVE-2015-7925 | Hig | 0.52 | 8.0 | 0.01 | Dec 23, 2015 | Cross-site request forgery (CSRF) vulnerability on eWON devices with firmware through 10.1s0 allows remote attackers to hijack the authentication of administrators for requests that trigger firmware upload, removal of configuration data, or a reboot. | ||
| CVE-2019-25470 | Hig | 0.49 | 7.5 | 0.00 | Mar 11, 2026 | eWON Firmware versions 12.2 to 13.0 contain an authentication bypass vulnerability that allows attackers with minimal privileges to retrieve sensitive user data by exploiting the wsdReadForm endpoint. Attackers can send POST requests to /wrcgi.bin/wsdReadForm with base64-encoded… | ||
| CVE-2015-7927 | Med | 0.40 | 6.1 | 0.02 | Dec 23, 2015 | Cross-site scripting (XSS) vulnerability on eWON devices with firmware through 10.1s0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2015-7929 | Med | 0.28 | 4.3 | 0.03 | Dec 23, 2015 | eWON devices with firmware through 10.1s0 support unspecified GET requests, which might allow remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history. | ||
| CVE-2020-16230 | 0.00 | — | 0.00 | Sep 18, 2020 | All version of Ewon Flexy and Cosy prior to 14.1 use wildcards such as (*) under which domains can request resources. An attacker with local access and high privileges could inject scripts into the Cross-origin Resource Sharing (CORS) configuration that could abuse this… | |||
| CVE-2020-10633 | 0.00 | — | 0.01 | Apr 8, 2020 | A non-persistent XSS (cross-site scripting) vulnerability exists in eWON Flexy and Cosy (all firmware versions prior to 14.1s0). An attacker could send a specially crafted URL to initiate a password change for the device. The target must introduce the credentials to the gateway… |
- risk 0.65cvss 9.9epss 0.03
eWON devices with firmware before 10.1s0 omit RBAC for I/O server information and status requests, which allows remote attackers to obtain sensitive information via an unspecified URL.
- risk 0.57cvss 8.8epss 0.02
eWON devices with firmware before 10.1s0 do not trigger the discarding of browser session data in response to a log-off action, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.
- risk 0.56cvss 8.5epss 0.03
eWON devices with firmware before 10.1s0 do not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.
- risk 0.53cvss 8.2epss 0.00
The EWON FLEXY 202 transmits credentials using a weak encoding method base64. An attacker who is present in the network can sniff the traffic and decode the credentials.
- risk 0.52cvss 8.0epss 0.01
Cross-site request forgery (CSRF) vulnerability on eWON devices with firmware through 10.1s0 allows remote attackers to hijack the authentication of administrators for requests that trigger firmware upload, removal of configuration data, or a reboot.
- risk 0.49cvss 7.5epss 0.00
eWON Firmware versions 12.2 to 13.0 contain an authentication bypass vulnerability that allows attackers with minimal privileges to retrieve sensitive user data by exploiting the wsdReadForm endpoint. Attackers can send POST requests to /wrcgi.bin/wsdReadForm with base64-encoded…
- risk 0.40cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerability on eWON devices with firmware through 10.1s0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- risk 0.28cvss 4.3epss 0.03
eWON devices with firmware through 10.1s0 support unspecified GET requests, which might allow remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history.
- CVE-2020-16230Sep 18, 2020risk 0.00cvss —epss 0.00
All version of Ewon Flexy and Cosy prior to 14.1 use wildcards such as (*) under which domains can request resources. An attacker with local access and high privileges could inject scripts into the Cross-origin Resource Sharing (CORS) configuration that could abuse this…
- CVE-2020-10633Apr 8, 2020risk 0.00cvss —epss 0.01
A non-persistent XSS (cross-site scripting) vulnerability exists in eWON Flexy and Cosy (all firmware versions prior to 14.1s0). An attacker could send a specially crafted URL to initiate a password change for the device. The target must introduce the credentials to the gateway…