A Security Vulnerability in a ZTE Product

Initial release date:  October 26, 2020

 

CVE ID

CVE-2020-6876

 

CVSS 3.1 Base Score

7.4 High (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L)

 

Description

A ZTE product is impacted by an XSS vulnerability. The vulnerability is caused by the lack of correct verification of client data in the WEB module. By inserting malicious scripts into the web module, a remote attacker could trigger an XSS attack when the user browses the web page. Then the attacker could use the vulnerability to steal user cookies or destroy the page structure.

 

Affected Products and Fixes

Product Name

Affected Version

Resolved Version

eVDC

ZXCLOUD-iROSV6.03.04

ZXCLOUD-iROSV6.03.05

 

Source

The vulnerability was found by ZTE's internal test.

 

Update Records

October 26, 2020, initial.

 

Supporting team contacts

1. ZTE GCSC hotline:

0755-26770800

800-830-1118

400-830-1118

2. Product forum at ZTE Support website.

 

ZTE PSIRT

If you need to report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.

[Close]