CVE-2020-35756

Name of the Vulnerable Software and Affected Versions: Libre Wireless LS9 LS1.5/p7040 devices (affected versions not specified)

Description: An issue was discovered where the luci service daemon running on port 7777 does not require authentication to return the device configuration password in cleartext when using the GETPASS command. This allows any unauthenticated person with access to port 7777 on the device to leak the user's personal device configuration password by issuing the GETPASS command.

Recommendations: As a temporary workaround, consider restricting access to port 7777 to minimize the risk of exploitation. Avoid using the GETPASS command in the luci service daemon until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.