Input Validation Vulnerability in a ZTE's PON terminal product

Original Release Date:  May 8, 2020 

 

CVE ID

CVE-2020-6868

 

CVSS 3.1 Base Score

3.5 Low AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

 

Description 

There is an input validation vulnerability in a PON terminal product of ZTE, which supports the creation of WAN connections through WEB management pages. The front-end limits the length of the WAN connection name that is created, but the HTTP proxy is available to be used to bypass the limitation. An attacker can exploit the vulnerability to tamper with the parameter value.

 

Affected Products and Fixes

Product Name

Affected Version

Resolved Version

ZTE F680

ZXHN F680V9.0.10P1N6

ZXHN F680V9.0.10P1N5D_release

 

Source

The vulnerability was found by ZTE's internal test.

 

Update Records

May 8, 2020, initial.

November 23,2020, Modified the description

 

Supporting team contacts

1. ZTE GCSC hotline:

0755-26770800

800-830-1118

400-830-1118

2. Product forum at ZTE Support website.

 

ZTE PSIRT

If you need to report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.

[Close]