XSS Vulnerability in ZTE MF258 Products

Initial Release Date:  January 10, 2024

 

Vulnerability ID

CVE IDCVE-2023-41781         CNNVD IDCNNVD-2023-60442332

 

 

CVSS 3.1 Base Score 

5.7 Medium (AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L)

 

Description 

There is a Cross-site scripting (XSS) vulnerability in ZTE MF258. Due to insufficient input validation of SMS interface parameter, an XSS attack will be triggered.

 

Affected Products and Fixes

Product Name

Affected Version

Resolved Version

MF258

ZTE_STD_V1.0.0B08

ZTE_STD_V1.0.0B10

ZTE_STD_V1.0.0B11

 

Acknowledgement

ZTE thanks MateuszLach for paying attention to our products and cooperating with us to disclose vulnerability.

 

Update Records

January 10 2024, initial.

 

Version Update Method

A device that supports automatic update can receive a pop-up update message. You can upgrade the device accordingly. If no update message is received, contact your service provider to obtain the update information.

 

Global Customer Support Center

http://support.zte.com.cn/support/web/Contact.aspx?_langType=en

 

ZTE PSIRT

https://www.zte.com.cn/global/cybersecurity/ztepsirt.html

[Close]