PT-2024-28778 · Unknown · Boa Web Server+1
Published
2024-10-21
·
Updated
2024-10-23
·
CVE-2024-40090
CVSS v3.1
4.3
Medium
| Vector | AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Vilo 5 Mesh WiFi System versions 5.16.1.33 and earlier
Description
The issue is related to an information leak in the Boa webserver, which allows remote, unauthenticated attackers to leak memory addresses of uClibc and the stack. This can be achieved by sending a GET request to the index page, such as "/index.html" or a similar API endpoint.
Recommendations
For versions 5.16.1.33 and earlier, consider restricting access to the Boa webserver until a patch is available.
As a temporary workaround, avoid using the Boa webserver for sensitive operations until the issue is resolved.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Cleartext Transmission of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Boa Web Server
Vilo 5 Mesh Wifi System