CVE-2018-16307
HIGHXiaomi MIWiFi Xiaomi_55DD 2.8.50 - Server-Side Request Forgery via HTTP Host Header
Title source: llmDescription
An "Out-of-band resource load" issue was discovered on Xiaomi MIWiFi Xiaomi_55DD Version 2.8.50 devices. It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response. If a domain name (containing a random string) is used in the HTTP Host header, the application performs an HTTP request to the specified domain. The response from that request is then included in the application's own response.
References (1)
Core 1
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/149196/MIWiFi-Xiaomi_55DD-2.8.50-Out-Of-Band-Resource-Load.html
Scores
CVSS v3
7.5
EPSS
0.0197
EPSS Percentile
77.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (1)
mi/xiaomi_miwifi_xiaomi_55dd_firmware
2.8.50
Published
Sep 05, 2018
Tracked Since
Feb 18, 2026