Headline
CVE-2020-10972: CVE/CVE-2020-10972 at master · sudo-jtcsec/CVE
An issue was discovered where a page is exposed that has the current administrator password in cleartext in the source code of the page. No authentication is required in order to reach the page (a certain live_?.shtml page with the variable syspasswd). Affected Devices: Wavlink WN530HG4, Wavlink WN531G3, and Wavlink WN572HG3
Permalink
Cannot retrieve contributors at this time
************************************
* CVE-2020-10972 *
************************************
SUMMARY: https://james-clee.com/2020/04/18/multiple-wavlink-vulnerabilities/
[Suggested description]
An issue was discovered on Wavlink WL-WN530HG4 M30HG4.V5030.191116
devices. A page is exposed that has the current administrator password
in cleartext in the source code of the page. No authentication is
required in order to reach the page (live_********.shtml with the variable
syspasswd).
------------------------------------------
[Additional Information]
This can be used in conjunction with CVE-2020-10971 for
WL-WN530HG4 to achieve full remote code execution,
since you can use the administrator password found here to create your
own session instead of relying on the end user.
------------------------------------------
[Vulnerability Type]
Insecure Permissions
------------------------------------------
[Vendor of Product]
Wavlink
------------------------------------------
[Affected Product Code Base]
WL-WN530HG4 - M30HG4.V5030.191116
------------------------------------------
[Affected Component]
live_********.shtml
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
Go to live_********.shtml, then go to the source code of the page, then
look for where the variable syspasswd is defined - it’s the password
for the administrator account in plaintext
------------------------------------------
[Reference]
https://www.wavlink.com