CVE-2018-16307

HIGH

Xiaomi MIWiFi Xiaomi_55DD 2.8.50 - Server-Side Request Forgery via HTTP Host Header

Title source: llm
STIX 2.1

Description

An "Out-of-band resource load" issue was discovered on Xiaomi MIWiFi Xiaomi_55DD Version 2.8.50 devices. It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response. If a domain name (containing a random string) is used in the HTTP Host header, the application performs an HTTP request to the specified domain. The response from that request is then included in the application's own response.

References (1)

Core 1
Core References

Scores

CVSS v3 7.5
EPSS 0.0197
EPSS Percentile 77.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (1)
mi/xiaomi_miwifi_xiaomi_55dd_firmware 2.8.50
Published Sep 05, 2018
Tracked Since Feb 18, 2026