In TOTOLINK EX200 V4.0.3c.7646_B20201211, an attacker can obtain sensitive information without authorization through the function getEasyWizardCfg.
- Device:TOTOLINK EX200
- Firmware Version:V4.0.3c.7646_B20201211
- Manufacturer's website information:https://www.totolink.net/
- Firmware download address:https://www.totolink.net/data/upload/20210428/7979e841521515eb83b45aacf5b67f9a.zip
The attacker does not need authorization (no need to enter username and password in /login.asp) to obtain sensitive information including Wifi SSID and password.