Details of VAR-201809-0912

ID

VAR-201809-0912

CVE

CVE-2018-16307

TITLE

Xiaomi MIWiFi Xiaomi_55DD Information disclosure vulnerabilities in devices

Trust: 0.8

sources: JVNDB: JVNDB-2018-010327

DESCRIPTION

An "Out-of-band resource load" issue was discovered on Xiaomi MIWiFi Xiaomi_55DD Version 2.8.50 devices. It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response. If a domain name (containing a random string) is used in the HTTP Host header, the application performs an HTTP request to the specified domain. The response from that request is then included in the application's own response. Xiaomi MIWiFi Xiaomi_55DD The device contains an information disclosure vulnerability.Information may be obtained. Xiaomi MIWiFi Xiaomi_55DD is a wireless router of China Xiaomi. Xiaomi MIWiFi Xiaomi_55DD There is a security vulnerability in version 2.8.50

Trust: 2.25

sources: NVD: CVE-2018-16307 // JVNDB: JVNDB-2018-010327 // CNVD: CNVD-2020-27293 // VULHUB: VHN-126653

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-27293

AFFECTED PRODUCTS

vendor:	mi	model:	xiaomi miwifi xiaomi 55dd	scope:	eq	version:	2.8.50	Trust: 1.6
vendor:	xiaomi	model:	55dd	scope:	eq	version:	2.8.50	Trust: 1.4
vendor:	xiaomi	model:	miwifi xiaomi 55dd	scope:	eq	version:	2.8.50	Trust: 0.6

sources: CNVD: CNVD-2020-27293 // JVNDB: JVNDB-2018-010327 // CNNVD: CNNVD-201809-194 // NVD: CVE-2018-16307

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-16307
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-16307
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-27293
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201809-194
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-126653
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-16307
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2020-27293
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-126653
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-16307
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2020-27293 // VULHUB: VHN-126653 // JVNDB: JVNDB-2018-010327 // CNNVD: CNNVD-201809-194 // NVD: CVE-2018-16307

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.9

sources: VULHUB: VHN-126653 // JVNDB: JVNDB-2018-010327 // NVD: CVE-2018-16307

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201809-194

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201809-194

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-010327

PATCH

title:

Top Page

url:

https://www.mi.com/global/

Trust: 0.8

sources: JVNDB: JVNDB-2018-010327

EXTERNAL IDS

db:	NVD	id:	CVE-2018-16307	Trust: 3.1
db:	PACKETSTORM	id:	149196	Trust: 2.5
db:	JVNDB	id:	JVNDB-2018-010327	Trust: 0.8
db:	CNVD	id:	CNVD-2020-27293	Trust: 0.7
db:	CNNVD	id:	CNNVD-201809-194	Trust: 0.7
db:	VULHUB	id:	VHN-126653	Trust: 0.1

sources: CNVD: CNVD-2020-27293 // VULHUB: VHN-126653 // JVNDB: JVNDB-2018-010327 // CNNVD: CNNVD-201809-194 // NVD: CVE-2018-16307

REFERENCES

url:	http://packetstormsecurity.com/files/149196/miwifi-xiaomi_55dd-2.8.50-out-of-band-resource-load.html	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2018-16307	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-16307	Trust: 0.8

sources: CNVD: CNVD-2020-27293 // VULHUB: VHN-126653 // JVNDB: JVNDB-2018-010327 // CNNVD: CNNVD-201809-194 // NVD: CVE-2018-16307

SOURCES

db:	CNVD	id:	CNVD-2020-27293
db:	VULHUB	id:	VHN-126653
db:	JVNDB	id:	JVNDB-2018-010327
db:	CNNVD	id:	CNNVD-201809-194
db:	NVD	id:	CVE-2018-16307

LAST UPDATE DATE

2024-11-23T23:04:58.065000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-27293	date:	2020-05-09T00:00:00
db:	VULHUB	id:	VHN-126653	date:	2018-11-14T00:00:00
db:	JVNDB	id:	JVNDB-2018-010327	date:	2018-12-12T00:00:00
db:	CNNVD	id:	CNNVD-201809-194	date:	2018-09-06T00:00:00
db:	NVD	id:	CVE-2018-16307	date:	2024-11-21T03:52:29.880

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-27293	date:	2020-05-09T00:00:00
db:	VULHUB	id:	VHN-126653	date:	2018-09-05T00:00:00
db:	JVNDB	id:	JVNDB-2018-010327	date:	2018-12-12T00:00:00
db:	CNNVD	id:	CNNVD-201809-194	date:	2018-09-06T00:00:00
db:	NVD	id:	CVE-2018-16307	date:	2018-09-05T21:29:03.327