Vulnerability Details CVE-2024-33893
Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are vulnerable to XSS when displaying the logs due to improper input sanitization. This is fixed in version 21.2s10 and 22.1s3.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 44.1%
CVSS Severity
CVSS v3 Score 6.1
References
- https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/
- https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf
- https://www.ewon.biz/products/cosy/ewon-cosy-wifi
- https://www.hms-networks.com/cyber-security
- http://seclists.org/fulldisclosure/2024/Aug/19
Products affected by CVE-2024-33893
-
cpe:2.3:h:hms-networks:ewon_cosy+_4g_apac:-
-
cpe:2.3:h:hms-networks:ewon_cosy+_4g_eu:-
-
cpe:2.3:h:hms-networks:ewon_cosy+_4g_jp:-
-
cpe:2.3:h:hms-networks:ewon_cosy+_4g_na:-
-
cpe:2.3:h:hms-networks:ewon_cosy+_ethernet:-
-
cpe:2.3:h:hms-networks:ewon_cosy+_wifi:-
-
cpe:2.3:o:hms-networks:ewon_cosy+_firmware:21.0s0
-
cpe:2.3:o:hms-networks:ewon_cosy+_firmware:21.0s1
-
cpe:2.3:o:hms-networks:ewon_cosy+_firmware:21.1s1
-
cpe:2.3:o:hms-networks:ewon_cosy+_firmware:21.2s0
-
cpe:2.3:o:hms-networks:ewon_cosy+_firmware:21.2s1
-
cpe:2.3:o:hms-networks:ewon_cosy+_firmware:21.2s10
-
cpe:2.3:o:hms-networks:ewon_cosy+_firmware:21.2s2
-
cpe:2.3:o:hms-networks:ewon_cosy+_firmware:21.2s3
-
cpe:2.3:o:hms-networks:ewon_cosy+_firmware:21.2s4
-
cpe:2.3:o:hms-networks:ewon_cosy+_firmware:21.2s7
-
cpe:2.3:o:hms-networks:ewon_cosy+_firmware:21.2s8
-
cpe:2.3:o:hms-networks:ewon_cosy+_firmware:22.0s0
-
cpe:2.3:o:hms-networks:ewon_cosy+_firmware:22.0s1
-
cpe:2.3:o:hms-networks:ewon_cosy+_firmware:22.1s0
-
cpe:2.3:o:hms-networks:ewon_cosy+_firmware:22.1s0pr
-
cpe:2.3:o:hms-networks:ewon_cosy+_firmware:22.1s3