CVE-2018-16307

MIWiFi Xiaomi_55DD 2.8.50 Out-Of-Band Resource Load

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An "Out-of-band resource load" issue was discovered on Xiaomi MIWiFi Xiaomi_55DD Version 2.8.50 devices. It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response. If a domain name (containing a random string) is used in the HTTP Host header, the application performs an HTTP request to the specified domain. The response from that request is then included in the application's own response.

Se ha detectado un problema de carga de recursos fuera de banda en dispositivos Xiaomi MIWiFi Xiaomi_55DD 2.8.50. Es posible hacer que la aplicación recupere el contenido de una URL arbitraria externa y devuelva ese contenido en su propia respuesta. Si un nombre de dominio (que contiene una cadena aleatoria) se emplea en la cabecera HTTP Host, la aplicación realiza una petición HTTP al dominio especificado. La respuesta de esa petición se incluye en la propia respuesta de la aplicación.

An out-of-band resource load issue was discovered on Xiaomi MIWiFi Xiaomi_55DD version 2.8.50 devices. It is possible to induce the application to retrieve the contents of an arbitrary external URL and return those contents in its own response. If a domain name (containing a random string) is used in the HTTP Host header, the application performs an HTTP request to the specified domain. The response from that request is then included in the application's own response.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-09-01 CVE Reserved
2018-09-02 CVE Published
2024-06-20 EPSS Updated
2024-08-05 CVE Updated
2024-08-05 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC
http://packetstormsecurity.com/files/149196/MIWiFi-Xiaomi_55DD-2.8.50-Out-Of-Band-Resource-Load.html	2024-08-05

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mi Search vendor "Mi"	Xiaomi Miwifi Xiaomi 55dd Firmware Search vendor "Mi" for product "Xiaomi Miwifi Xiaomi 55dd Firmware"	2.8.50 Search vendor "Mi" for product "Xiaomi Miwifi Xiaomi 55dd Firmware" and version "2.8.50"	-	Affected	in	Mi Search vendor "Mi"	Xiaomi Miwifi Xiaomi 55dd Search vendor "Mi" for product "Xiaomi Miwifi Xiaomi 55dd"	-	-	Safe