A Security Vulnerability in Some ZTE Products

Original release date:  November 13, 2020

 

CVE ID

CVE-2020-6879


CVSS 3.1 Base Score

3.5 LowAV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

 
Description

Some ZTE devices have input verification vulnerabilities. The devices support configuring a static prefix through the web management page. The restriction of the front-end code can be bypassed by constructing a POST request message and sending the request to the creation of a static routing rule configuration interface. The WEB service backend fails to effectively verify the abnormal input. As a result, the attacker can successfully use the vulnerability to tamper parameter values.

 
Affected Products and Fixes

Product Name

Affected Version

Resolved Version

ZXHN Z500

V1.0.0.2B1.1000

V1.0.1.1B1.1000

ZXHN F670L

V1.1.10P1N2E

V1.1.10P2N2

 
Source

The vulnerability was found by ZTE's internal test.

 
Update Records

November 13, 2020, initial. 

 
Supporting team contacts

1.  ZTE GCSC hotline:

0755-26770800

800-830-1118

400-830-1118

2.  Product forum at ZTE Support website. 

 
ZTE PSIRT

If you need to report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.

[Close]