|
Initial Release Date: December 25, 2022 Vulnerability ID CVE ID:CVE-2022-39072 CNNVD ID:CNNVD-2022-38712796 CVSS 3.1 Base Score 5.9 Medium(AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L) Description There is a SQL injection vulnerability in Some ZTE Mobile Internet products. Due to insufficient validation of the input parameters of the SNTP interface, an authenticated attacker could use the vulnerability to execute stored XSS attacks. Affected Products and Fixes Product Name | Affected Version | Resolved Version | MF286R | Nordic_MF286R_B06 | Nordic_MF286R_B07 | MF289D | CR_TMOCZMF289DV1.0.0B07 | CR_TMOCZMF289DV1.0.1B04 |
Acknowledgement ZTE thanks Andrea Maugeri for paying attention to our products and cooperating with us to disclose vulnerabilities. Update Records December 25, 2022, initial. Version Update Method A device that supports automatic update can receive a pop-up update message. You can upgrade the device accordingly. If no update message is received, contact your service provider to obtain the update information. Global Customer Support Center http://support.zte.com.cn/support/web/Contact.aspx?_langType=en ZTE PSIRT https://www.zte.com.cn/global/cybersecurity/ztepsirt.html
|