CVE-2020-35391

Name of the Vulnerable Software and Affected Versions: Tenda N300 F3 version 12.01.01.48

Description: The issue allows remote attackers to obtain sensitive information, possibly including an http passwd line, via a direct request for "cgi-bin/DownloadCfg/RouterCfm.cfg". The vulnerability may require a specific character, such as ?, to be placed after the RouterCfm.cfg filename, or unusual HTTP request headers, although the reason for this is not clear.

Recommendations: For Tenda N300 F3 version 12.01.01.48, as a temporary workaround, consider restricting access to the "cgi-bin/DownloadCfg/RouterCfm.cfg" endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.