CVE-2019-19843
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD
Description
Incorrect access control in the web interface in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote credential fetch via an unauthenticated HTTP request involving a symlink with /tmp and web/user/wps_tool_cache.
Affected (7)
Products: Ruckuswireless: Unleashed, Zonedirector 1200 Firmware
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Before 200.7.10.202.94 |
| Running on/with | Platform Versions |
|---|---|
Ruckuswireless C110 | All versions |
Ruckuswireless E510 | All versions |
Ruckuswireless H320 | All versions |
Ruckuswireless H510 | All versions |
Ruckuswireless M510 | All versions |
Ruckuswireless R310 | All versions |
Ruckuswireless R320 | All versions |
Ruckuswireless R510 | All versions |
Ruckuswireless R610 | All versions |
Ruckuswireless R710 | All versions |
Ruckuswireless R720 | All versions |
Ruckuswireless T310 | All versions |
Ruckuswireless T610 | All versions |
Ruckuswireless T710 | All versions |
Configuration B
| Vulnerable Software | Affected Versions |
|---|---|
| Before 9.10.2.0.84 |
| Running on/with | Platform Versions |
|---|---|
Ruckuswireless Zonedirector 1200 | All versions |
Related CWEs
CWE-522
Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
CWE-552
Files or Directories Accessible to External Parties
The product makes files or directories accessible to unauthorized actors, even though they should not be.
References (6)
Source: cve@mitre.org
ExploitTechnical DescriptionThird Party Advisory
Source: cve@mitre.org
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitTechnical DescriptionThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Timeline
No history available yet.