Sign-up

ID

VAR-202004-0554


CVE

CVE-2020-12266


TITLE

plural WAVLINK Authentication vulnerabilities in devices

Trust: 0.8

sources: JVNDB: JVNDB-2020-004951

DESCRIPTION

An issue was discovered where there are multiple externally accessible pages that do not require any sort of authentication, and store system information for internal usage. The devices automatically query these pages to update dashboards and other statistics, but the pages can be accessed externally without any authentication. All the pages follow the naming convention live_(string).shtml. Among the information disclosed is: interface status logs, IP address of the device, MAC address of the device, model and current firmware version, location, all running processes, all interfaces and their statuses, all current DHCP leases and the associated hostnames, all other wireless networks in range of the router, memory statistics, and components of the configuration of the device such as enabled features. Affected devices: Affected devices are: Wavlink WN530HG4, Wavlink WN575A3, Wavlink WN579G3,Wavlink WN531G3, Wavlink WN533A8, Wavlink WN531A6, Wavlink WN551K1, Wavlink WN535G3, Wavlink WN530H4, Wavlink WN57X93, WN572HG3, Wavlink WN578A2, Wavlink WN579G3, Wavlink WN579X3, and Jetstream AC3000/ERAC3000. plural WAVLINK There is an authentication vulnerability in the device.Information may be obtained

Trust: 1.71

sources: NVD: CVE-2020-12266 // JVNDB: JVNDB-2020-004951 // VULMON: CVE-2020-12266

AFFECTED PRODUCTS

vendor:wavlinkmodel:wl-wn530hg4scope:eqversion:m30hg4.v5030.191116

Trust: 1.9

vendor:wavlinkmodel:wl-wn575a3scope:eqversion:rpt75a3.v4300.180801

Trust: 1.9

vendor:wavlinkmodel:wl-wn579g3scope:eqversion:m79x3.v5030.180719

Trust: 1.9

vendor:wavlinkmodel:wn533a8scope:eqversion: -

Trust: 1.0

vendor:wavlinkmodel:jetstream ac3000scope:eqversion: -

Trust: 1.0

vendor:wavlinkmodel:wn535g3scope:eqversion: -

Trust: 1.0

vendor:wavlinkmodel:wn531a6scope:eqversion: -

Trust: 1.0

vendor:wavlinkmodel:wn551k1scope:eqversion: -

Trust: 1.0

vendor:wavlinkmodel:wn531g3scope:eqversion: -

Trust: 1.0

vendor:wavlinkmodel:wn57x93scope:eqversion: -

Trust: 1.0

vendor:wavlinkmodel:wn579x3scope:eqversion: -

Trust: 1.0

vendor:wavlinkmodel:wn578a2scope:eqversion: -

Trust: 1.0

vendor:wavlinkmodel:jetstream erac3000scope:eqversion: -

Trust: 1.0

vendor:wavlinkmodel:wn530h4scope:eqversion: -

Trust: 1.0

vendor:wavlinkmodel:wn579g3scope:eqversion: -

Trust: 1.0

sources: VULMON: CVE-2020-12266 // JVNDB: JVNDB-2020-004951 // NVD: CVE-2020-12266

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-12266
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-004951
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202004-2182
value: HIGH

Trust: 0.6

VULMON: CVE-2020-12266
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-12266
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-004951
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

nvd@nist.gov: CVE-2020-12266
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-004951
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULMON: CVE-2020-12266 // JVNDB: JVNDB-2020-004951 // CNNVD: CNNVD-202004-2182 // NVD: CVE-2020-12266

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.0

problemtype:CWE-287

Trust: 0.8

sources: JVNDB: JVNDB-2020-004951 // NVD: CVE-2020-12266

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-2182

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202004-2182

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-004951

PATCH
title:Top Pageurl:https://www.wavlink.com/en_us/index.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2020-004951

EXTERNAL IDS
db:NVDid:CVE-2020-12266
Trust: 2.5
db:JVNDBid:JVNDB-2020-004951
Trust: 0.8
db:CNNVDid:CNNVD-202004-2182
Trust: 0.6
db:VULMONid:CVE-2020-12266
Trust: 0.1
sources:
            
            
            VULMON: CVE-2020-12266 // 
            
            
            
            JVNDB: JVNDB-2020-004951 // 
            
            
            
            CNNVD: CNNVD-202004-2182 // 
            
            
            
            NVD: CVE-2020-12266

REFERENCES
url:https://github.com/sudo-jtcsec/cve/blob/master/cve-2020-12266
Trust: 1.9
url:https://www.wavlink.com
Trust: 1.7
url:https://github.com/sudo-jtcsec/cve/blob/master/cve-2020-12266-affected_devices
Trust: 1.6
url:https://github.com/roni-carta/nyra
Trust: 1.6
url:https://github.com/sudo-jtcsec/nyra
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2020-12266
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-12266
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/287.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/180874
Trust: 0.1
sources:
            
            
            VULMON: CVE-2020-12266 // 
            
            
            
            JVNDB: JVNDB-2020-004951 // 
            
            
            
            CNNVD: CNNVD-202004-2182 // 
            
            
            
            NVD: CVE-2020-12266

SOURCES
db:VULMONid:CVE-2020-12266
db:JVNDBid:JVNDB-2020-004951
db:CNNVDid:CNNVD-202004-2182
db:NVDid:CVE-2020-12266

LAST UPDATE DATE
2024-11-23T21:59:21.475000+00:00

SOURCES UPDATE DATE
db:VULMONid:CVE-2020-12266date:2020-12-08T00:00:00
db:JVNDBid:JVNDB-2020-004951date:2020-06-03T00:00:00
db:CNNVDid:CNNVD-202004-2182date:2022-05-05T00:00:00
db:NVDid:CVE-2020-12266date:2024-11-21T04:59:24.417

SOURCES RELEASE DATE
db:VULMONid:CVE-2020-12266date:2020-04-27T00:00:00
db:JVNDBid:JVNDB-2020-004951date:2020-06-03T00:00:00
db:CNNVDid:CNNVD-202004-2182date:2020-04-27T00:00:00
db:NVDid:CVE-2020-12266date:2020-04-27T15:15:12.860