9.8

CVE-2020-11966

EPSS 0.81%
Veröffentlicht 21.04.2020 13:15:14
Zuletzt bearbeitet 21.11.2024 04:59:00
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

In IQrouter through 3.3.1, the Lua function reset_password in the web-panel allows remote attackers to change the root password arbitrarily. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is “true for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time”

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Evenroute ≫ Iqrouter Firmware Version <= 3.3.1

Evenroute ≫ Iqrouter Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.81%	0.74

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-521 Weak Password Requirements

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

https://evenroute.com/

Product

https://evenroute.zendesk.com/hc/en-us/articles/216107838-How-do-I-configure-an-IQrouter-

https://openwrt.org/docs/guide-quick-start/walkthrough_login

https://pastebin.com/grSCSBSu

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-11966

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-11966

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-11966

EUVD