Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE/CVE-2020-10972
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
62 lines (42 sloc)
1.59 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ************************************ | |
| * CVE-2020-10972 * | |
| ************************************ | |
| SUMMARY: https://james-clee.com/2020/04/18/multiple-wavlink-vulnerabilities/ | |
| [Suggested description] | |
| An issue was discovered on Wavlink WL-WN530HG4 M30HG4.V5030.191116 | |
| devices. A page is exposed that has the current administrator password | |
| in cleartext in the source code of the page. No authentication is | |
| required in order to reach the page (live_********.shtml with the variable | |
| syspasswd). | |
| ------------------------------------------ | |
| [Additional Information] | |
| This can be used in conjunction with CVE-2020-10971 for | |
| WL-WN530HG4 to achieve full remote code execution, | |
| since you can use the administrator password found here to create your | |
| own session instead of relying on the end user. | |
| ------------------------------------------ | |
| [Vulnerability Type] | |
| Insecure Permissions | |
| ------------------------------------------ | |
| [Vendor of Product] | |
| Wavlink | |
| ------------------------------------------ | |
| [Affected Product Code Base] | |
| WL-WN530HG4 - M30HG4.V5030.191116 | |
| ------------------------------------------ | |
| [Affected Component] | |
| live_********.shtml | |
| ------------------------------------------ | |
| [Attack Type] | |
| Remote | |
| ------------------------------------------ | |
| [Impact Information Disclosure] | |
| true | |
| ------------------------------------------ | |
| [Attack Vectors] | |
| Go to live_********.shtml, then go to the source code of the page, then | |
| look for where the variable syspasswd is defined - it's the password | |
| for the administrator account in plaintext | |
| ------------------------------------------ | |
| [Reference] | |
| https://www.wavlink.com |