CVE-2020-10972

HIGH

Wavlink - Info Disclosure

Title source: llm

Description

An issue was discovered where a page is exposed that has the current administrator password in cleartext in the source code of the page. No authentication is required in order to reach the page (a certain live_?.shtml page with the variable syspasswd). Affected Devices: Wavlink WN530HG4, Wavlink WN531G3, and Wavlink WN572HG3

References (4)

[Not Applicable, Third Party Advisory] https://github.com/Roni-Carta/nyra

View Writeup ZIP pw:eip

[Third Party Advisory] https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10972

View Writeup ZIP pw:eip

[Third Party Advisory] https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10972-affected_devices

[Broken Link] https://github.com/sudo-jtcsec/Nyra

Scores

CVSS v3 7.5

EPSS 0.0031

EPSS Percentile 53.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-522 CWE-306

Status published

Affected Products (3)

wavlink/wn530hg4_firmware

wavlink/wn531g3_firmware

wavlink/wn572hg3_firmware

Timeline

Published May 07, 2020

Tracked Since Feb 18, 2026