|
Original release date: 28 May 2019 CVE ID CVE-2019-3409 CVE-2019-3410 CVSS 3.0 Base Score CVE-2019-3409:9.0 Critical(AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) CVE-2019-3410:4.6 Medium(AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L) Description CVE-2019-3409: All versions up to UKBB_WF820+_1.0.0B06 of ZTE WF820+ LTE Outdoor CPE product are impacted by command injection vulnerability. Due to inadequate parameter verification, unauthorized users can take advantage of this vulnerability to control the user terminal system. CVE-2019-3410: All versions up to UKBB_WF820+_1.0.0B06 of ZTE WF820+ LTE Outdoor CPE product are impacted by Cross-Site Request Forgery vulnerability,which stems from the fact that WEB applications do not adequately verify whether requests come from trusted users. An attacker can exploit this vulnerability to send unexpected requests to the server through the affected client. Affected Products and Fixes Product Name | Affected Version | Resolved Version | ZTE WF820+ LTE Outdoor CPE | All versions up to UKBB_WF820+_1.0.0B06 | UKBB_WF820+_1.0.0B08 |
Credit Security researcher Roman Mironov at SEC-1 submitted 2 vulnerabilities of ZTEWF820+ LTE Outdoor CPE product to ZTE PSIRT. ZTE Thanks to Roman Mironov, British Telecom Operators UKBB and SEC-1 security Lab for the work they have done to coordinate with us in vulnerability disclosure. Update Records 28 May 2019, initial. Supporting team contacts 1.ZTE GCSC hotline: 0755-26770800 800-830-1118 400-830-1118 2.Product forum at ZTE Support website. ZTE PSIRT If you need to feedback or report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.
|