CVE-2017-5260

Name of the Vulnerable Software and Affected Versions Cambium Networks cnPilot firmware versions 4.3.2-R4 and prior

Description The issue allows a low-privilege 'user' account to access the configuration file via direct object reference (DOR) at the "http:///goform/down cfg file" endpoint, despite this option not being available in the normal web administrative console.

Recommendations For Cambium Networks cnPilot firmware versions 4.3.2-R4 and prior, as a temporary workaround, consider restricting access to the "/goform/down cfg file" endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.