CVE-2020-11966

In IQrouter through 3.3.1, the Lua function reset_password in the web-panel allows remote attackers to change the root password arbitrarily. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is “true for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time”

In IQrouter through 3.3.1, the Lua function reset_password in the web-panel allows remote attackers to change the root password arbitrarily. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is “true for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time”

** EN DISPUTA ** En IQrouter versiones hasta la versión 3.3.1, la función Lua reset_password en el panel web, permite a atacantes remotos cambiar la contraseña de root arbitrariamente. Nota: El vendedor afirma que esta vulnerabilidad solo puede ocurrir en una red nueva que, después de iniciar la configuración inicial forzada (que tiene un paso requerido para establecer una contraseña segura en el sistema), hace que este CVE no sea válido. Esta vulnerabilidad es "verdadera para cualquier versión no configurada de OpenWRT, y verdadera para muchas otras nuevas distribuciones de Linux antes de ser configuradas por primera vez"