|
Original release date: July 18, 2020 CVE ID CVE-2020-6871 CVE-2020-6872 CVSS 3.1 Base Score
CVE-2020-6871: 8.6 High(AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)CVE-2020-6872: 5.4 Medium(AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Description CVE-2020-6871: The server management software module of ZTE has an authentication issue vulnerability, which allows users to skip the authentication of the server and execute some commands for high-level users. CVE-2020-6872: The server management software module of ZTE has a storage XSS vulnerability. The attacker inserts some attack codes through the foreground login page, which will cause the user to execute the predefined malicious script in the browser. Affected Products and Fixes Product Name | Affected Version | Resolved Version | R5300G4 | V03.08.0100 V03.07.0300 V03.07.0200 V03.07.0108 V03.07.0100 V03.05.0047 V03.05.0046 V03.05.0045 V03.05.0044 V03.05.0043 V03.05.0040 V03.04.0020 | V03.08.0200 or later | R8500G4 | V03.07.0103 V03.07.0101 V03.06.0100 V03.05.0400 V03.05.0020 | V03.08.0200 or later | R5500G4 | V03.08.0100 V03.07.0200 V03.07.0100 V03.06.0100 | V03.08.0200 or later |
Credit Thanks to emcc LAB researcher Liu Jiewei and drops attacking and defense laboratory researcher Xu Chaofan providing security issues to ZTE PSIRT. Update Records July 18, 2020, initial. Supporting team contacts 1. ZTE GCSC hotline: 0755-26770800 800-830-1118 400-830-1118 2. Product forum at ZTE Support website. ZTE PSIRT If you need to report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.
|