CVE-2020-6880

Published: Dec 1, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

A ZXELINK wireless controller has a SQL injection vulnerability. A remote attacker does not need to log in. By sending malicious SQL statements, because the device does not properly filter parameters, successful use can obtain management rights. This affects: ZXV10 W908 all versions before MIPS_A_1022IPV6R3T6P7Y20.

Affected (1)

Products: Zte: Zxv10 W908 Firmware

1 product

Zxv10 W908 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zte Zxv10 W908 Firmware	Before mips_a_1022ipv6r3t6p7y20

Running on/with	Platform Versions
Zte Zxv10 W908	All versions

Related CWEs

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

References (2)

http://www.zxelink.com.cn/website/html/CommonContent.html?classify=news&id=43&menuID=20201126153313319

Source: psirt@zte.com.cn

Vendor Advisory

http://www.zxelink.com.cn/website/html/CommonContent.html?classify=news&id=43&menuID=20201126153313319

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.