CVE-2019-18370

Name of the Vulnerable Software and Affected Versions Xiaomi Mi WiFi R3G versions prior to 2.28.23-stable

Description An issue was discovered where the backup file in tar.gz format can be manipulated to control the contents of the decompressed directory. Additionally, a command injection vulnerability exists in the application's sh script for testing upload and download speeds, which reads a URL list from /tmp/speedtest urls.xml. This vulnerability can be demonstrated through the "api/xqnetdetect/netspeed" endpoint.

Recommendations For versions prior to 2.28.23-stable, update to version 2.28.23-stable or later to resolve the issue. As a temporary workaround, consider restricting access to the "api/xqnetdetect/netspeed" endpoint to minimize the risk of exploitation.