Vulnerability Details : CVE-2020-24246
Peplink Balance before 8.1.0rc1 allows an unauthenticated attacker to download PHP configuration files (/filemanager/php/connector.php) from Web Admin.
Products affected by CVE-2020-24246
- cpe:2.3:o:peplink:balance_20x_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:balance_310x_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:mbx_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:epx_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:sdx_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:balance_30_lte_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:balance_20_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:balance_30_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:balance_30_pro_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:balance_50_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:balance_one_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:balance_two_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:balance_210_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:balance_310_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:balance_305_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:balance_380_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:balance_580_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:balance_710_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:balance_1350_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:balance_2500_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_br1_mk2_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_br1_classic_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_br1_slim_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_br1_mini_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_br1_m2m_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_br1_ent_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_br1_pro_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_br1__ip67_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_br2_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_br1_ip55_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_br2_ip55_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_hd2_ip67_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_hd2_mini_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_hd2_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_hd1_dome_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_hd2_dome_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_hd4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_hd4_ip67_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_transit_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_transit_duo_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_transit_mini_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_hotspot_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_on-the-go_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:max_700_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:ubr_lte_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:surf_soho_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:surf_soho_mk3_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:mediafast_200_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:mediafast_500_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:mediafast_750_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:mediafast_hd2_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:mediafast_hd4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:speedfusion_sfe_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:speedfusion_sfe_cam_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:peplink:fusionhub_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-24246
0.26%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 66 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-24246
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
References for CVE-2020-24246
-
https://blog.bssi.fr/cve-2020-24246-leaking-source-file-using-the-web-admin-interface-of-peplink-balance/
[CVE-2020-24246] Leaking source file using the web admin interface of Peplink Balance - Blog BSSIExploit;Third Party Advisory
-
https://download.peplink.com/resources/firmware-8.1.0rc1-release-notes.pdf
Release Notes;Vendor Advisory
Jump to