Main Vulnerability Database Vulnerabilities #VU46657

#VU46657 Overly permissive cross-domain whitelist in eWON Flexy and eWON Cosy - CVE-2020-16230

Published: September 11, 2020

Vulnerability identifier: #VU46657

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2020-16230

CWE-ID: CWE-942

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
eWON Flexy
eWON Cosy

Software vendor:
HMS Networks

Description

The vulnerability allows a local user to bypass the CORS protection mechanism.

The vulnerability exists due to incorrect processing of the "Origin" HTTP header that is supplied within HTTP request. A local administrator can supply arbitrary value via the "Origin" HTTP header, bypass implemented CORS protection mechanism and retrieve limited confidential information through sniffing.

Remediation

Install updates from vendor's website.

External links

https://ics-cert.us-cert.gov/advisories/icsa-20-254-03

#VU46657 Overly permissive cross-domain whitelist in eWON Flexy and eWON Cosy - CVE-2020-16230

Description

Remediation

External links

Please verify you're human