CVE-2020-25195

Summary

The length of the input fields of Host Engineering H0-ECOM100, H2-ECOM100, and H4-ECOM100 modules are verified only on the client side when receiving input from the configuration web server, which may allow an attacker to bypass the check and send input to crash the device.

Affected Software

VendorProductVersion RangeStatus
n/aHost Engineering H0-ECOM100 ModuleHardware Versions 6x and prior with Firmware Versions 4.0.348 and prioraffected
n/aHost Engineering H0-ECOM100 ModuleHardware Version 7x with Firmware Versions 4.1.113 and prioraffected
n/aHost Engineering H0-ECOM100 ModuleHardware Version 9x with Firmware Versions 5.0.149 and prioraffected
n/aHost Engineering H2-ECOM100 ModuleHardware Versions 5x and prior with Firmware Versions 4.0.2148 and prioraffected
n/aHost Engineering H2-ECOM100 ModuleHardware Version 8x with Firmware Versions 5.0.1043 and prioraffected
n/aHost Engineering H4-ECOM100 ModuleFirmware Versions 4.0.2148 and prioraffected

Weaknesses

  • CWE-20: IMPROPER INPUT VALIDATION CWE-20

ADP Enrichment

CVE Program Container

Additional References

References