PT-2020-12457 · Wavlink · Wavlink Wn531P3+2
Published
2020-05-07
·
Updated
2022-04-29
·
CVE-2020-10972
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Wavlink WN530HG4
Wavlink WN531G3
Wavlink WN572HG3
Description
An issue was discovered where a page, specifically a certain live ?.shtml page with the variable
syspasswd, is exposed and contains the current administrator password in cleartext in its source code. No authentication is required to reach this page.Recommendations
For Wavlink WN530HG4, restrict access to the live ?.shtml page to minimize the risk of exploitation.
For Wavlink WN531G3, avoid using the variable
syspasswd in the affected page until the issue is resolved.
For Wavlink WN572HG3, consider disabling access to the page containing the administrator password in cleartext until a fix is available.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
Missing Authentication
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Wavlink Wn530H4
Wavlink Wn531P3
Wavlink Wn572Hp3