CVE-2020-11926

An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25. Clients can authenticate themselves to the device using a username and password. These credentials can be obtained through an unauthenticated web request, e.g., for a JavaScript file. Also, the disclosed information includes the SSID and WPA2 key for the Wi-Fi network the device is connected to.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://seclists.org/fulldisclosure/2024/Jul/14
http://seclists.org/fulldisclosure/2024/Jul/14

Configurations

No configuration.

History

04 Nov 2025, 18:15

Type	Values Removed	Values Added
References		() http://seclists.org/fulldisclosure/2024/Jul/14 -

08 Nov 2024, 17:35

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CWE		CWE-79
Summary		(es) Se descubrió un problema en Luvion Grand Elite 3 Connect hasta el 25 de febrero de 2020. Los clientes pueden autenticarse en el dispositivo mediante un nombre de usuario y una contraseña. Estas credenciales se pueden obtener a través de una solicitud web no autenticada, por ejemplo, para un archivo JavaScript. Además, la información divulgada incluye el SSID y la clave WPA2 de la red Wi-Fi a la que está conectado el dispositivo.

07 Nov 2024, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-07 18:15

Updated : 2025-11-04 18:15

NVD link : CVE-2020-11926

Mitre link : CVE-2020-11926

CVE.ORG link : CVE-2020-11926

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

7.5 /10