CVE-2023-53770

Summary

MiniDVBLinux 5.4 contains an unauthenticated configuration download vulnerability that allows remote attackers to access sensitive system configuration files through a direct object reference. Attackers can exploit the backup download endpoint by sending a GET request with 'action=getconfig' to retrieve a complete system configuration archive containing sensitive credentials.

Affected Software

VendorProductVersion RangeStatus
MiniDVBLinuxMiniDVBLinux(TM) Distribution (MLD)<=5.4affected

Weaknesses

  • CWE-260: CWE-260: Password in Configuration File

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References