nuclei-templates/http/cves/2020/CVE-2020-10973.yaml

id: CVE-2020-10973

info:
  name: WAVLINK - Access Control
  author: arafatansari
  severity: high
  description: |
    Wavlink WN530HG4, WN531G3, WN533A8, and WN551K are susceptible to improper access control via /cgi-bin/ExportAllSettings.sh, where a crafted POST request returns the current configuration of the device, including the administrator password. No authentication is required. The attacker must perform a decryption step, but all decryption information is readily available.
  remediation: |
    Apply the latest firmware update provided by the vendor to fix the access control issue.
  reference:
    - https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10973
    - https://github.com/sudo-jtcsec/Nyra
    - https://nvd.nist.gov/vuln/detail/CVE-2020-10973
    - https://github.com/Roni-Carta/nyra
    - https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10973-affected_devices
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2020-10973
    cwe-id: CWE-306
    epss-score: 0.04225
    epss-percentile: 0.91273
    cpe: cpe:2.3:o:wavlink:wn530hg4_firmware:m30hg4.v5030.191116:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: wavlink
    product: wn530hg4_firmware
    shodan-query: http.html:"Wavlink"
  tags: cve,cve2020,exposure,wavlink

http:
  - raw:
      - |
        GET /backupsettings.dat HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'Salted__'

      - type: word
        part: header
        words:
          - application/octet-stream

      - type: status
        status:
          - 200
# digest: 4a0a00473045022039ff3386c769e432f7525e08150b1e6aed5b5f56c88367cea8e7bbac8afba93d022100af05c87abac3ba020d7666499d28ddc350d6ec91042b97c4154c19d638847a07:922c64590222798bb761d5b6d8e72950