CVE-2019-19823

A certain router administration interface (that includes Realtek APMIB 0.11f for Boa 0.94.14rc21) stores cleartext administrative passwords in flash memory and in a file. This affects TOTOLINK A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0; Rutek RTK 11N AP through 2019-12-12; Sapido GR297n through 2019-12-12; CIK TELECOM MESH ROUTER through 2019-12-12; KCTVJEJU Wireless AP through 2019-12-12; Fibergate FGN-R2 through 2019-12-12; Hi-Wifi MAX-C300N through 2019-12-12; HCN MAX-C300N through 2019-12-12; T-broad GN-866ac through 2019-12-12; Coship EMTA AP through 2019-12-12; and IO-Data WN-AC1167R through 2019-12-12.

Published: Jan 27, 2020
Updated: Apr 13, 2023
CVE: CVE-2019-19823
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-522

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
totolink / a3002ru_firmware	-	2.0.0.x
totolink / a702r_firmware	-	2.1.3.x
totolink / n302r_firmware	-	3.4.0.x
totolink / n300rt_firmware	-	3.4.0.x
totolink / n200re_firmware	-	4.0.0.x
totolink / n150rt_firmware	-	3.4.0.x
totolink / n100re_firmware	-	3.4.0.x
realtek / rtk_11n_ap_firmware	-	2019-12-12.x
sapido / gr297n_firmware	-	2019-12-12.x
ciktel / mesh_router_firmware	-	2019-12-12.x
kctvjeju / wireless_ap_firmware	-	2019-12-12.x
fg-products / fgn-r2_firmware	-	2019-12-12.x
hiwifi / max-c300n_firmware	-	2019-12-12.x
tbroad / gn-866ac_firmware	-	2019-12-12.x
coship / emta_ap_firmwre	-	2019-12-12.x
iodata / wn-ac1167r_firmwre	-	2019-12-12.x
hcn_max-c300n_project / hcn_max-c300n_firmware	-	2019-12-12.x
totolink / n301rt_firmware	-	2.1.6.x

Vulnerability Database

290,273

CVE-2019-19823