CVE-2019-7579

Published: Jun 17, 2019Modified: Nov 21, 2024

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An issue was discovered on Linksys WRT1900ACS 1.0.3.187766 devices. An ability exists for an unauthenticated user to browse a confidential ui/1.0.99.187766/dynamic/js/setup.js.localized file on the router's webserver, allowing for an attacker to identify possible passwords that the system uses to set the default guest network password. An attacker can use this list of 30 words along with a random 2 digit number to brute force their access onto a router's guest network.

Affected (1)

Products: Linksys: Wrt1900acs Firmware

1 product

Wrt1900acs Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Linksys Wrt1900acs Firmware	Version 1.0.3.187766

Running on/with	Platform Versions
Linksys Wrt1900acs	All versions

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (4)

http://www.x0rsecurity.com/2019/06/09/my-second-cve-linksys-wrt-acs-cve-2019-7579-or-as-i-call-it-acceptance-no-one-considers-security-by-design/

Source: cve@mitre.org

ExploitThird Party Advisory

https://robot-security.blogspot.com

Source: cve@mitre.org

Not Applicable

http://www.x0rsecurity.com/2019/06/09/my-second-cve-linksys-wrt-acs-cve-2019-7579-or-as-i-call-it-acceptance-no-one-considers-security-by-design/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://robot-security.blogspot.com

Source: af854a3a-2127-422b-91ae-364da2661108

Not Applicable

Timeline

No history available yet.