CVE-2018-20377

Name of the Vulnerable Software and Affected Versions Orange Livebox versions 00.96.320S

Description The issue is caused by an error in handling registration data in the get getnetworkconf.cgi script of the wireless router's firmware. This can allow a remote attacker to access protected information using the HTTP protocol. The vulnerability can be exploited to discover Wi-Fi credentials via the "/get getnetworkconf.cgi" API endpoint on port 8080, potentially leading to full control if the admin password is the same as the Wi-Fi password or has the default admin value.

Recommendations For Orange Livebox version 00.96.320S, consider restricting access to the "/get getnetworkconf.cgi" API endpoint on port 8080 to minimize the risk of exploitation. Additionally, ensure that the admin password is different from the Wi-Fi password and not set to the default admin value. At the moment, there is no information about a newer version that contains a fix for this vulnerability.