Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE/CVE-2020-12266
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
77 lines (55 sloc)
2.32 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *********************************** | |
| * CVE-2020-12266 * | |
| *********************************** | |
| SUMMARY: https://james-clee.com/2020/04/23/more-information-disclosure-in-wavlink-devices/ | |
| [Suggested description] | |
| An issue was discovered on WAVLINK | |
| WL-WN579G3 M79X3.V5030.180719, | |
| WL-WN575A3 RPT75A3.V4300.180801, and | |
| WL-WN530HG4 M30HG4.V5030.191116 devices. | |
| There are multiple externally accessible pages that do not require any | |
| sort of authentication, and store system information for internal | |
| usage. The devices automatically query these pages to update | |
| dashboards and other statistics, but the pages can be accessed | |
| externally without any authentication. All the pages follow the naming | |
| convention live_(string).shtml. Among the information disclosed is: | |
| interface status logs, IP address of the device, MAC address of the | |
| device, model and current firmware version, location, all running | |
| processes, all interfaces and their statuses, all current DHCP leases | |
| and the associated hostnames, all other wireless networks in | |
| range of the router, memory statistics, and components of the | |
| configuration of the device such as enabled features. | |
| ------------------------------------------ | |
| [Additional Information] | |
| If requested I can provide the actual web pages that disclose the | |
| information, but due to how easy it is for someone to access the | |
| information I think it best to not publicize the specific endpoints | |
| ------------------------------------------ | |
| [Vulnerability Type] | |
| Incorrect Access Control | |
| ------------------------------------------ | |
| [Vendor of Product] | |
| Wavlink | |
| ------------------------------------------ | |
| [Affected Product Code Base] | |
| WL-WN579G3 - M79X3.V5030.180719 | |
| WL-WN575A3 - RPT75A3.V4300.180801 | |
| WL-WN530HG4 - M30HG4.V5030.191116 | |
| ------------------------------------------ | |
| [Affected Component] | |
| Several pages used to host information for internal queries | |
| ------------------------------------------ | |
| [Attack Type] | |
| Remote | |
| ------------------------------------------ | |
| [Impact Information Disclosure] | |
| true | |
| ------------------------------------------ | |
| [Attack Vectors] | |
| Navigate to the exposed endpoint and the information will be displayed in plaintext on the page or in the source code of the response | |
| ------------------------------------------ | |
| [Reference] | |
| https://www.wavlink.com | |
| ------------------------------------------ | |
| [Discoverer] | |
| James Clee |