Description
An issue was discovered where a page is exposed that has the current administrator password in cleartext in the source code of the page. No authentication is required in order to reach the page (a certain live_?.shtml page with the variable syspasswd). Affected Devices: Wavlink WN530HG4, Wavlink WN531G3, and Wavlink WN572HG3
References (4)
Core 4
Core References
Third Party Advisory x_refsource_misc
https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10972
Broken Link x_refsource_misc
https://github.com/sudo-jtcsec/Nyra
Not Applicable, Third Party Advisory x_refsource_misc
https://github.com/Roni-Carta/nyra
Third Party Advisory x_refsource_misc
https://github.com/sudo-jtcsec/CVE/blob/master/CVE-2020-10972-affected_devices
Scores
CVSS v3
7.5
EPSS
0.0031
EPSS Percentile
53.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-522
CWE-306
Status
published
Products (3)
wavlink/wn530hg4_firmware
m30hg4.v5030.191116
wavlink/wn531g3_firmware
wavlink/wn572hg3_firmware
Published
May 07, 2020
Tracked Since
Feb 18, 2026