PT-2018-14422 · Orange · Orange Airbox

Syrex1013

Published

2018-10-16

Updated

2019-10-03

CVE-2018-18375

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Orange AirBox Y858 FL 01.16 04

Description The issue allows attackers to extract APN data, including name, number, username, and password, via the rand parameter in the "goform/getProfileList" API endpoint.

Recommendations For Orange AirBox Y858 FL 01.16 04, as a temporary workaround, consider restricting access to the "goform/getProfileList" API endpoint until a patch is available. Avoid using the rand parameter in this endpoint to minimize the risk of exploitation.

Exploit

Fix

Use of Insufficiently Random Values

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-330

Related Identifiers

CVE-2018-18375

Affected Products

Orange Airbox

PT-2018-14422 · Orange · Orange Airbox

CVE-2018-18375

Weakness Enumeration

Related Identifiers

Affected Products

References · 3