漏洞标题
N/A
漏洞描述信息
在Securifi almond、almend+和almend 2015设备上发现了一个AL-R096固件的问题。该设备为用户提供了在Web管理界面执行各种操作的能力。似乎该设备没有实现任何 Origin 头检查,这允许攻击者通过 trick 用户跳转到攻击者的页面来利用此问题并尝试破译Web管理界面的密码。它还允许攻击者执行其他操作,包括管理条件规则、连接到设备上的传感器使用WebSocket请求。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of executing various actions on the web management interface. It seems that the device does not implement any Origin header check which allows an attacker who can trick a user to navigate to an attacker's webpage to exploit this issue and brute force the password for the web management interface. It also allows an attacker to then execute any other actions which include management if rules, sensors attached to the devices using the websocket requests.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Securifi Almond 信息泄露漏洞
漏洞描述信息
Securifi Almond是一款带有触控屏幕的无线路由器。 使用AL-R096版本固件的Securifi Almond、Almond+和Almond 2015中存在安全漏洞,该漏洞源于程序没有检查请求报头中的Origin字段。攻击者可利用该漏洞暴力破解密码并且执行任意操作。
CVSS信息
N/A
漏洞类别
信息泄露