Boa Webserver on DASAN H660RM devices with firmware 1.03-0022 (and possibly other) saves post data, including credentials, to /tmp/boa-temp. Moreover this file is not sanitized after request has been processed, which allow retrieval of login credential possible until another POST request is made.
This vulnerability was assigned CVE-2019-9976.
CWE-377: Insecure Temporary File weakness exists in Boa Webserver. Exploitation requires ability to login on device. This could be accomplished using CVE-2019-8950.
Exploitation is possible for users logged in over telnet of SSH. If user logged though Web UI and until he make any other POST request, his credentials can be retrieved with:
$ cat /tmp/boa-temp StatusActionFlag=-1&Username=admin&Password=vertex25
