Winston
Products
2- 8 CVEs
- 0 CVEs
Recent CVEs
8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-16259 | Cri | 0.64 | 9.8 | 0.02 | Oct 28, 2020 | Winston 1.5.4 devices have an SSH user account with access from bastion hosts. This is undocumented in device documents and is not announced to the user. | ||
| CVE-2020-16257 | Cri | 0.64 | 9.8 | 0.04 | Oct 28, 2020 | Winston 1.5.4 devices are vulnerable to command injection via the API. | ||
| CVE-2020-16263 | Cri | 0.59 | 9.1 | 0.01 | Oct 28, 2020 | Winston 1.5.4 devices have a CORS configuration that trusts arbitrary origins. This allows requests to be made and viewed by arbitrary origins. | ||
| CVE-2020-16256 | Hig | 0.57 | 8.8 | 0.01 | Oct 28, 2020 | The API on Winston 1.5.4 devices is vulnerable to CSRF. | ||
| CVE-2020-16262 | Hig | 0.51 | 7.8 | 0.00 | Oct 28, 2020 | Winston 1.5.4 devices have a local www-data user that is overly permissioned, resulting in root privilege escalation. | ||
| CVE-2020-16260 | Hig | 0.49 | 7.5 | 0.01 | Oct 28, 2020 | Winston 1.5.4 devices do not enforce authorization. This is exploitable from the intranet, and can be combined with other vulnerabilities for remote exploitation. | ||
| CVE-2020-16258 | Hig | 0.46 | 7.1 | 0.00 | Oct 28, 2020 | Winston 1.5.4 devices make use of a Monit service (not managed during the normal user process) which is configured with default credentials. | ||
| CVE-2020-16261 | Med | 0.44 | 6.8 | 0.00 | Oct 28, 2020 | Winston 1.5.4 devices allow a U-Boot interrupt, resulting in local root access. |
- risk 0.64cvss 9.8epss 0.02
Winston 1.5.4 devices have an SSH user account with access from bastion hosts. This is undocumented in device documents and is not announced to the user.
- risk 0.64cvss 9.8epss 0.04
Winston 1.5.4 devices are vulnerable to command injection via the API.
- risk 0.59cvss 9.1epss 0.01
Winston 1.5.4 devices have a CORS configuration that trusts arbitrary origins. This allows requests to be made and viewed by arbitrary origins.
- risk 0.57cvss 8.8epss 0.01
The API on Winston 1.5.4 devices is vulnerable to CSRF.
- risk 0.51cvss 7.8epss 0.00
Winston 1.5.4 devices have a local www-data user that is overly permissioned, resulting in root privilege escalation.
- risk 0.49cvss 7.5epss 0.01
Winston 1.5.4 devices do not enforce authorization. This is exploitable from the intranet, and can be combined with other vulnerabilities for remote exploitation.
- risk 0.46cvss 7.1epss 0.00
Winston 1.5.4 devices make use of a Monit service (not managed during the normal user process) which is configured with default credentials.
- risk 0.44cvss 6.8epss 0.00
Winston 1.5.4 devices allow a U-Boot interrupt, resulting in local root access.