An "Out-of-band resource load" issue was discovered on Xiaomi MIWiFi Xiaomi_55DD Version 2.8.50 devices. It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response. If a domain name (containing a random string) is used in the HTTP Host header, the application performs an HTTP request to the specified domain. The response from that request is then included in the application's own response.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/149196/MIWiFi-Xiaomi_55DD-2.8.50-Out-Of-Band-Resource-Load.html | Exploit Third Party Advisory VDB Entry |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2018-09-05T21:00:00
Updated: 2018-09-05T20:57:01
Reserved: 2018-09-01T00:00:00
Link: CVE-2018-16307
JSON object: View
NVD Information
Status : Analyzed
Published: 2018-09-05T21:29:03.327
Modified: 2018-11-14T18:19:55.833
Link: CVE-2018-16307
JSON object: View
Redhat Information
No data.
CWE