Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
***********************************
* CVE-2020-10974 *
***********************************
SUMMARY: https://james-clee.com/2020/04/23/more-information-disclosure-in-wavlink-devices/
[Suggested description]
An issue was discovered on Wavlink WL-WN575A3 RPT75A3.V4300.180801
devices, affecting configuration backup functionality. A crafted POST request
returns the current configuration of the device in cleartext,
including the administrator password. No authentication is required.
------------------------------------------
[Additional Information]
This can be used in conjunction with the CVE-2020-10971) to achieve full remote code
execution, since you can use the administrator password found here to
create your own session instead of relying on the end user.
------------------------------------------
[Vulnerability Type]
Insecure Permissions
------------------------------------------
[Vendor of Product]
Wavlink
------------------------------------------
[Affected Product Code Base]
WL-WN579G3 - M79X3.V5030.180719
WL-WN575A3 - RPT75A3.V4300.180801
------------------------------------------
[Affected Component]
WL-WN579G3 - Backup Configuration Functionality
WL-WN575A3 - Backup Configuration Functionality
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
A basic post request to the page the retrieves the configuration will run the script and automatically download the
configuration file which is in plain text
------------------------------------------
[Reference]
https://www.wavlink.com