CVE-2018-16307

An "Out-of-band resource load" issue was discovered on Xiaomi MIWiFi Xiaomi_55DD Version 2.8.50 devices. It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response. If a domain name (containing a random string) is used in the HTTP Host header, the application performs an HTTP request to the specified domain. The response from that request is then included in the application's own response.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:mi:xiaomi_miwifi_xiaomi_55dd_firmware:2.8.50:*:*:*:*:*:*:*
cpe:2.3:h:mi:xiaomi_miwifi_xiaomi_55dd:-:*:*:*:*:*:*:*

History

21 Nov 2024, 03:52

Type Values Removed Values Added
References () http://packetstormsecurity.com/files/149196/MIWiFi-Xiaomi_55DD-2.8.50-Out-Of-Band-Resource-Load.html - Exploit, Third Party Advisory, VDB Entry () http://packetstormsecurity.com/files/149196/MIWiFi-Xiaomi_55DD-2.8.50-Out-Of-Band-Resource-Load.html - Exploit, Third Party Advisory, VDB Entry

Information

Published : 2018-09-05 21:29

Updated : 2024-11-21 03:52


NVD link : CVE-2018-16307

Mitre link : CVE-2018-16307

CVE.ORG link : CVE-2018-16307


JSON object : View

Products Affected

mi

  • xiaomi_miwifi_xiaomi_55dd_firmware
  • xiaomi_miwifi_xiaomi_55dd
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor