The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login…
The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access.
The product writes sensitive information to a log file.
https://cwe.mitre.org/data/definitions/532.html →Open in CWE collection →An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.
https://capec.mitre.org/data/definitions/215.html →Open in CAPEC collection →