|
Original release date: 1 February 2019
CVE IDs
CVE-2019-3417
CVE-2019-3418
CVSS 3.0 Base Score
CVE-2019-3417:8.1 High (AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N)
CVE-2019-3418:5.7 Medium (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
Description
CVE-2019-3417:
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by command injection vulnerability. Due to insufficient parameter validation check, an authorized user can exploit this vulnerability to take control of user router system.
CVE-2019-3418:
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by cross-site scripting vulnerability (XSS). Due to incomplete input validation, an authorized user can exploit this vulnerability to execute malicious scripts.
Affected Products and Fixes
|
Product Name |
Affected Version |
Resolved Version |
|
ZXHN F670 |
All versions up to V1.1.10P3T18 |
V1.1.10P3T22 |
Credit
Security researcher Egor Dimitrenko and Alexandr Shvetsov at Positive Technologies submitted command injection vulnerability of ZXHN F670 product to ZTE PSIRT.
Security researcher Egor Dimitrenko, Alexandr Shvetsov and Maxim Kostikov at Positive Technologies submitted XSS vulnerabilities of ZXHN F670 product to ZTE PSIRT.
ZTE would like to thank Egor Dimitrenko, Alexandr Shvetsov and Maxim Kostikov for the work they have done to coordinate with us in vulnerability disclosure.
Update Records
1 February 2019, initial. 7 August 2019, The originally assigned CVE-ID(CVE-2018-7367、CVE-2018-7368) was not published, so the new CVE-ID was reassigned.
Supporting team contacts
1. ZTE GCSC hotline:
0755-26770800
800-830-1118
400-830-1118
2. Product forum at ZTE Support website.
ZTE PSIRT
If you need to feedback or report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.
|