What the vulnerability does

01Description

A non-persistent XSS (cross-site scripting) vulnerability exists in eWON Flexy and Cosy (all firmware versions prior to 14.1s0). An attacker could send a specially crafted URL to initiate a password change for the device. The target must introduce the credentials to the gateway before the attack can be successful.

Key dates

02Disclosure timeline

April 8, 2020 CVE published
August 4, 2024 Record updated