Two Vulnerabilities in ZTE ZXCDN IAMWEB Product

Original release date: 21 November, 2019

 

CVE ID

CVE-2019-3427

CVE-2019-3428

 

CVSS 3.0 Base Score

CVE-2019-3427: 6.6 Medium (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L)

CVE-2019-3428: 6.5 Medium (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

 

Description

CVE-2019-3427: The version V6.01.03.01 of ZTE ZXCDN IAMWEB product is impacted by a code injection vulnerability. An attacker could exploit the vulnerability to inject malicious code into the management page, resulting in users’ information leakage.

CVE-2019-3428: The version V6.01.03.01 of ZTE ZXCDN IAMWEB product is impacted by a configuration error vulnerability. An attacker could directly access the management portal in HTTP, resulting in users’ information leakage.

 

Affected Products and Fixes

Product Name

Affected Version

Resolved Version

ZXCDN IAMWEB

V6.01.03.01

V6.01.04.01

 

Source

The vulnerabilities were found by ZTE internal testing.

 

Update Records

21 November, 2019, initial.

 

Supporting team contacts

1. ZTE GCSC hotline:

0755-26770800

800-830-1118

400-830-1118

2. Product forum at ZTE Support website.

 

ZTE PSIRT

If you need to report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.

[Close]