CVE-2020-6954

Name of the Vulnerable Software and Affected Versions Cayin SMP-PRO4 devices (affected versions not specified)

Description A security issue allows a user to discover a saved password by viewing the URL after a Connection String Test. The password is visible in the webpass parameter of a "media folder.cgi?apply mode=ping server" URI, specifically the /media folder.cgi API endpoint with the apply mode parameter set to ping server.

Recommendations For Cayin SMP-PRO4 devices, as a temporary workaround, consider restricting access to the /media folder.cgi API endpoint with the apply mode parameter set to ping server until a patch is available. Avoid using the webpass parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.