Skip to main content

Winston Firmware

8 CVEs product

Monthly

CVE-2020-16263 CRITICAL POC Act Now

Winston 1.5.4 devices have a CORS configuration that trusts arbitrary origins. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Winston Firmware
NVD
CVSS 3.1
9.1
EPSS
1.2%
CVE-2020-16262 HIGH POC This Week

Winston 1.5.4 devices have a local www-data user that is overly permissioned, resulting in root privilege escalation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Winston Firmware
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2020-16261 MEDIUM POC This Month

Winston 1.5.4 devices allow a U-Boot interrupt, resulting in local root access. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Winston Firmware
NVD
CVSS 3.1
6.8
EPSS
0.5%
CVE-2020-16260 HIGH POC This Week

Winston 1.5.4 devices do not enforce authorization. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Winston Firmware
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2020-16259 CRITICAL POC Act Now

Winston 1.5.4 devices have an SSH user account with access from bastion hosts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Winston Firmware
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2020-16258 HIGH POC This Week

Winston 1.5.4 devices make use of a Monit service (not managed during the normal user process) which is configured with default credentials. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Winston Firmware
NVD
CVSS 3.1
7.1
EPSS
0.4%
CVE-2020-16256 HIGH POC This Week

The API on Winston 1.5.4 devices is vulnerable to CSRF. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Winston Firmware
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2020-16257 CRITICAL POC Act Now

Winston 1.5.4 devices are vulnerable to command injection via the API. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Winston Firmware
NVD
CVSS 3.1
9.8
EPSS
3.7%
EPSS 1% CVSS 9.1
CRITICAL POC Act Now

Winston 1.5.4 devices have a CORS configuration that trusts arbitrary origins. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Winston Firmware
NVD
EPSS 0% CVSS 7.8
HIGH POC This Week

Winston 1.5.4 devices have a local www-data user that is overly permissioned, resulting in root privilege escalation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Winston Firmware
NVD
EPSS 0% CVSS 6.8
MEDIUM POC This Month

Winston 1.5.4 devices allow a U-Boot interrupt, resulting in local root access. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Winston Firmware
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

Winston 1.5.4 devices do not enforce authorization. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Winston Firmware
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

Winston 1.5.4 devices have an SSH user account with access from bastion hosts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Winston Firmware
NVD
EPSS 0% CVSS 7.1
HIGH POC This Week

Winston 1.5.4 devices make use of a Monit service (not managed during the normal user process) which is configured with default credentials. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Winston Firmware
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

The API on Winston 1.5.4 devices is vulnerable to CSRF. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Winston Firmware
NVD
EPSS 4% CVSS 9.8
CRITICAL POC Act Now

Winston 1.5.4 devices are vulnerable to command injection via the API. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Winston Firmware
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy