VYPR
Vendor

Winston

Products
2
CVEs
8
Across products
8
Status
Private

Products

2

Recent CVEs

8
  • CVE-2020-16259CriOct 28, 2020
    risk 0.64cvss 9.8epss 0.02

    Winston 1.5.4 devices have an SSH user account with access from bastion hosts. This is undocumented in device documents and is not announced to the user.

  • CVE-2020-16257CriOct 28, 2020
    risk 0.64cvss 9.8epss 0.04

    Winston 1.5.4 devices are vulnerable to command injection via the API.

  • CVE-2020-16263CriOct 28, 2020
    risk 0.59cvss 9.1epss 0.01

    Winston 1.5.4 devices have a CORS configuration that trusts arbitrary origins. This allows requests to be made and viewed by arbitrary origins.

  • CVE-2020-16256HigOct 28, 2020
    risk 0.57cvss 8.8epss 0.01

    The API on Winston 1.5.4 devices is vulnerable to CSRF.

  • CVE-2020-16262HigOct 28, 2020
    risk 0.51cvss 7.8epss 0.00

    Winston 1.5.4 devices have a local www-data user that is overly permissioned, resulting in root privilege escalation.

  • CVE-2020-16260HigOct 28, 2020
    risk 0.49cvss 7.5epss 0.01

    Winston 1.5.4 devices do not enforce authorization. This is exploitable from the intranet, and can be combined with other vulnerabilities for remote exploitation.

  • CVE-2020-16258HigOct 28, 2020
    risk 0.46cvss 7.1epss 0.00

    Winston 1.5.4 devices make use of a Monit service (not managed during the normal user process) which is configured with default credentials.

  • CVE-2020-16261MedOct 28, 2020
    risk 0.44cvss 6.8epss 0.00

    Winston 1.5.4 devices allow a U-Boot interrupt, resulting in local root access.