|
Original release date: 10 September 2018
Update date: 27 September 2018
CVE ID
CVE-2018-7355
CVSS 3.0 Base Score
4.6 Medium(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Statement
Cyber Security Philippines CERT - Red Team reported two script injection vulnerabilities of MF65 V1.0.0B05 to ZTE PSIRT in July 2018. Security researcher Markclancys also reported a reflected cross-site scripting vulnerability of MF65M1 V1.0.0B02 to ZTE PSIRT in August 2018.
Through the analysis of related product teams, the script injection vulnerabilities confirmed in V1.0 versions of both MF65 and MF65M1 products. Due to incomplete input validation, the attacker can cause damage to devices by embedding malicious JS code in the URL link.
As ZTE MF65 was end of service in August 2016, and MF65M1 was also end of service in September, 2017, ZTE strongly recommend users to replace with newer UFI products for the purpose of better security.
Credit
Thanks to Cyber Security Philippines CERT - Red Team and security researcher Markclancys for reporting the security vulnerabilities to ZTE PSIRT.
Reference
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7355
Update Records
10 September 2018, initial.
27 September 2018, CVE ID assigned and Statement updated.
Supporting team contacts
1. ZTE GCSC hotline:
0755-26770800
800-830-1118
400-830-1118
2. Product forum at ZTE Support website.
ZTE PSIRT
If you need to feedback or report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.
|