CVE-2023-53770

Name of the Vulnerable Software and Affected Versions MiniDVBLinux version 5.4

Description MiniDVBLinux version 5.4 has an issue allowing unauthenticated access to system configuration files. Remote attackers can obtain sensitive system configuration files through a direct object reference. The issue is exploitable by sending a GET request to the backup download endpoint with the parameter action set to getconfig, which retrieves a system configuration archive containing sensitive credentials. The affected API endpoint is '/backup/download'.

Recommendations Apply any available configuration changes to restrict access to the /backup/download endpoint. Restrict access to the getconfig action.