CVE-2020-10973
Severity CVSS v4.0:
Pending analysis
Type:
CWE-306
Missing Authentication for Critical Function
Publication date:
07/05/2020
Last modified:
28/04/2022
Description
An issue was discovered in Wavlink WN530HG4, Wavlink WN531G3, Wavlink WN533A8, and Wavlink WN551K1 affecting /cgi-bin/ExportAllSettings.sh where a crafted POST request returns the current configuration of the device, including the administrator password. No authentication is required. The attacker must perform a decryption step, but all decryption information is readily available.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:wavlink:wn530hg4_firmware:m30hg4.v5030.191116:*:*:*:*:*:*:* | ||
| cpe:2.3:h:wavlink:wn530hg4:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:wavlink:wn531g3_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:wavlink:wn531g3:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:wavlink:wn533a8_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:wavlink:wn533a8:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:wavlink:wn551k1_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:wavlink:wn551k1:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page