Statement of Vulnerabilities in ZTE C520V21 Product

Original release date: 15 November 2019

 

CVE ID

CVE-2019-3423

CVE-2019-3424

 

CVSS 3.0 Base Score

CVE-2019-3423 4.4 Medium (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

CVE-2019-3424 5.1 Medium (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N)

 

Statement

China National Vulnerability Database (CNVD) reported two vulnerabilities in the C520V21 smart camera to ZTE PSIRT.

According to the analysis of product teams, these two vulnerabilities exist in the V2.1.14 and below versions of C520V21 smart camera devices.

CVE-2019-3423: permission and access control vulnerability, which exists in V2.1.14 and below versions of C520V21 smart camera devices. An attacker can construct a URL for directory traversal and access to other unauthorized files or resources.

CVE-2019-3424: authentication issues vulnerability, which exists in V2.1.14 and below versions of C520V21 smart camera devices. An attacker can automatically obtain access to web services from the authorized browser of the same computer and perform operations.

ZTE recommends that users log in to ZTE smart home website to download the latest version and upgrade the device firmware. The download URL is as follows:

https://www.ztehome.com.cn/support/searchRsltTable.php?id=67

  

Credit

Thanks to China National Vulnerability Database (CNVD) for reporting the security vulnerabilities to ZTE PSIRT.

 

Update Records

15 November 2019, initial.

 

Supporting team contacts

1. ZTE GCSC hotline:

0755-26770800

800-830-1118

400-830-1118

2. Product forum at ZTE Support website.

 

ZTE PSIRT

If you need to report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.

[Close]