Two Vulnerabilities in ZXUPN-9000E

Initial release date: 31 October,2019 

 

CVE ID

CVE-2019-3425

CVE-2019-3426

 

CVSS 3.0 Base Score

CVE-2019-3425: 6.3 Medium (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVE-2019-3426: 5.9 Medium (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N)

 

Description

CVE-2019-3425: The 9000EV5.0R1B12 version, and all earlier versions of ZTE product ZXUPN-9000E are impacted by vulnerability of permission and access control. An attacker could exploit this vulnerability to directly reset or change passwords of other accounts.

CVE-2019-3426: The 9000EV5.0R1B12 version, and all earlier versions of ZTE product ZXUPN-9000E are impacted by the input validation vulnerability. An attacker could exploit this vulnerability for unauthorized operations.

 

Affected Products and Fixes

产品名称

受影响版本号

修复版本号

ZXUPN-9000E

All versions up to 9000EV5.0R1B12

9000EV5.0R3B1

 

Source

The vulnerabilities were found by ZTE internal testing.

 

Update Records

Initial release, 31 October, 2019

 

Contact Our Supporting Team

1.  ZTE GCSC hotline:

0755-26770800

800-830-1118

400-830-1118

2.  Product Forum on ZTE Support website.

 

ZTE PSIRT

If you need to report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn. PGP key ID: FF095577.