CVE-2018-16307

Name of the Vulnerable Software and Affected Versions Xiaomi MIWiFi Xiaomi 55DD version 2.8.50

Description An issue was discovered that allows the application to retrieve the contents of an arbitrary external URL and return those contents in its own response. This can be achieved by using a domain name containing a random string in the HTTP Host header, causing the application to perform an HTTP request to the specified domain and include the response in its own response.

Recommendations For version 2.8.50, as a temporary workaround, consider restricting access to external URLs to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.