CVE-2020-24577Cleartext Storage of Sensitive Info in Dlink Dsl-2888a Firmware

CWE-312Cleartext Storage of Sensitive Info3 documents3 sources
Severity
7.5HIGHNVD
EPSS
16.8%
top 5.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Dlink Dsl-2888a Firmware
Timeline
PublishedJan 8
Latest updateMay 24

Description

An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. The One Touch application discloses sensitive information, such as the hashed admin login password and the Internet provider connection username and cleartext password, in the application's response body for a /tmp/var/passwd or /tmp/home/wan_stat URI.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

NVDdlink/dsl-2888a_firmware< au_2.31_v1.1.47ae55

🔴Vulnerability Details

2
GHSA
GHSA-vrq7-q46g-p2fq: An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_22022-05-24
CVEList
CVE-2020-24577: An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_22021-01-08
CVE-2020-24577 — Cleartext Storage of Sensitive Info | cvebase