|
Initial Release Date: August 29, 2023 Vulnerability ID CVE ID: CVE-2023-25651 CNNVD ID: CNNVD-2023-76543729 CVSS 3.1 Base Score 4.3 Medium (AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) Description There is a SQL injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to execute SQL injection and cause information leak. Affected Products and Fixes Product Name | Affected Version | Resolved Version | MF833U1 | BD_MF833U1V1.0.0B01 | BD_MF833U1V1.0.0B02 | MF286R | CR_LVWRGBMF286RV1.0.0B04 | CR_LVWRGBMF286RV1.0.1B01 |
Acknowledgement ZTE thanks Adam Hiscocks of WithSecure for paying attention to our products and cooperating with us to disclose vulnerability. Update Records August 29, 2023, initial. Version Update Method A device that supports automatic update can receive a pop-up update message. You can upgrade the device accordingly. If no update message is received, contact your service provider to obtain the update information. Global Customer Support Center http://support.zte.com.cn/support/web/Contact.aspx?_langType=en ZTE PSIRT https://www.zte.com.cn/global/cybersecurity/ztepsirt.html
|