CVE-2019-18371

Name of the Vulnerable Software and Affected Versions Xiaomi Mi WiFi R3G versions prior to 2.28.23-stable

Description A directory traversal issue allows attackers to read arbitrary files due to a misconfigured NGINX alias. This can be exploited via the "api-third-party/download/extdisks../etc/config/account" endpoint, enabling attackers to bypass authentication.

Recommendations For versions prior to 2.28.23-stable, update to version 2.28.23-stable or later to resolve the issue. As a temporary workaround, consider restricting access to the NGINX alias to minimize the risk of exploitation.