CVE-2020-6879

Published: Nov 19, 2020Modified: Nov 21, 2024

3.5

Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.1 / Impact: 1.4

Source: NVD

Description

Some ZTE devices have input verification vulnerabilities. The devices support configuring a static prefix through the web management page. The restriction of the front-end code can be bypassed by constructing a POST request message and sending the request to the creation of a static routing rule configuration interface. The WEB service backend fails to effectively verify the abnormal input. As a result, the attacker can successfully use the vulnerability to tamper parameter values. This affects: ZXHN Z500 V1.0.0.2B1.1000 and ZXHN F670L V1.1.10P1N2E. This is fixed in ZXHN Z500 V1.0.1.1B1.1000 and ZXHN F670L V1.1.10P2N2.

Affected (2)

Products: Zte: Zxhn Z500 Firmware, Zxhn F670l Firmware

2 products

Zxhn Z500 Firmware

Zxhn F670l Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zte Zxhn Z500 Firmware	Version v1.0.0.2b1.1000

Running on/with	Platform Versions
Zte Zxhn Z500	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zte Zxhn F670l Firmware	Version v1.1.10p1n2e

Running on/with	Platform Versions
Zte Zxhn F670l	All versions

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (2)

http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1013922

Source: psirt@zte.com.cn

Vendor Advisory

http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1013922

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.