VUMETRIC
CYBER PORTAL
Dashboard
Security News
Latest Vulnerabilities
Browse Vulnerabilities
by Vendors
by Products
by Categories
Weekly Reports
Vulnerabilities
> Winstonprivacy
Exclude new CVEs:
DATE
CVE
VULNERABILITY TITLE
RISK
2020-10-28
CVE-2020-16263
Exposure of Resource to Wrong Sphere vulnerability in Winstonprivacy Winston Firmware 1.5.4
Winston 1.5.4 devices have a CORS configuration that trusts arbitrary origins.
network
low complexity
winstonprivacy
CWE-668
6.4
6.4
2020-10-28
CVE-2020-16262
Incorrect Permission Assignment for Critical Resource vulnerability in Winstonprivacy Winston Firmware 1.5.4
Winston 1.5.4 devices have a local www-data user that is overly permissioned, resulting in root privilege escalation.
local
low complexity
winstonprivacy
CWE-732
7.2
7.2
2020-10-28
CVE-2020-16261
Incorrect Permission Assignment for Critical Resource vulnerability in Winstonprivacy Winston Firmware 1.5.4
Winston 1.5.4 devices allow a U-Boot interrupt, resulting in local root access.
local
low complexity
winstonprivacy
CWE-732
7.2
7.2
2020-10-28
CVE-2020-16260
Missing Authorization vulnerability in Winstonprivacy Winston Firmware 1.5.4
Winston 1.5.4 devices do not enforce authorization.
network
low complexity
winstonprivacy
CWE-862
5.0
5.0
2020-10-28
CVE-2020-16259
Incorrect Permission Assignment for Critical Resource vulnerability in Winstonprivacy Winston Firmware 1.5.4
Winston 1.5.4 devices have an SSH user account with access from bastion hosts.
network
low complexity
winstonprivacy
CWE-732
critical
10.0
10
2020-10-28
CVE-2020-16258
Use of Hard-coded Credentials vulnerability in Winstonprivacy Winston Firmware 1.5.4
Winston 1.5.4 devices make use of a Monit service (not managed during the normal user process) which is configured with default credentials.
local
low complexity
winstonprivacy
CWE-798
5.6
5.6
2020-10-28
CVE-2020-16256
Cross-Site Request Forgery (CSRF) vulnerability in Winstonprivacy Winston Firmware 1.5.4
The API on Winston 1.5.4 devices is vulnerable to CSRF.
network
winstonprivacy
CWE-352
critical
9.3
9.3
2020-10-28
CVE-2020-16257
Command Injection vulnerability in Winstonprivacy Winston Firmware 1.5.4
Winston 1.5.4 devices are vulnerable to command injection via the API.
network
low complexity
winstonprivacy
CWE-77
critical
10.0
10