CVE-2020-10974

An issue was discovered affecting a backup feature where a crafted POST request returns the current configuration of the device in cleartext, including the administrator password. No authentication is required. Affected devices: Wavlink WN575A3, Wavlink WN579G3, Wavlink WN531A6, Wavlink WN535G3, Wavlink WN530H4, Wavlink WN57X93, Wavlink WN572HG3, Wavlink WN575A4, Wavlink WN578A2, Wavlink WN579G3, Wavlink WN579X3, and Jetstream AC3000/ERAC3000
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
VendorProductVersion
wavlinkwn531a6_firmware
-
wavlinkwn535g3_firmware
-
wavlinkwn530h4_firmware
-
wavlinkwn57x93_firmware
-
wavlinkwn572hg3_firmware
-
wavlinkwn575a4_firmware
-
wavlinkwn578a2_firmware
-
wavlinkwn579g3_firmware
-
wavlinkwn579x3_firmware
-
wavlinkjetstream_ac3000_firmware
-
wavlinkjetstream_erac3000_firmware
-
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/Roni-Carta/nyra
https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10974
https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10974-affected_devices
https://github.com/sudo-jtcsec/Nyra
https://github.com/Roni-Carta/nyra
https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10974
https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10974-affected_devices
https://github.com/sudo-jtcsec/Nyra