Two Vulnerabilities in ZTE MF920 Product

Original release date:  30 May 2019 

 

CVE ID

CVE-2019-3411

CVE-2019-3412

 

CVSS 3.0 Base Score

CVE-2019-3411 8.1 High(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-2019-3412 9.8 Critical(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

 

Description

CVE-2019-3411

All versions up to BD_R218V2.4 of ZTE MF920 product are impacted by information leak vulnerability. Due to some interfaces can obtain the WebUI login password without login, an attacker can exploit the vulnerability to obtain sensitive information about the affected components.

 CVE-2019-3412

All versions up to BD_R218V2.4 of ZTE MF920 product are impacted by command execution vulnerability.Due to some interfaces do not adequately verify parameters, an attacker can execute arbitrary commands through specific interfaces.

 

Affected Products and Fixes

Product Name

Affected Version

Resolved Version

ZTE MF920

All versions up to BD_R218V2.4

BD_R218V3.0

 

Credit

ZTE thanks Takeshi Shiomitsu for submitting 2 vulnerabilities of ZTE MF920 to ZTE PSIRT.

 

Update Records

30 May 2019, initial.

 

Supporting team contacts

1.  ZTE GCSC hotline:

0755-26770800

800-830-1118

400-830-1118

2.  Product forum at ZTE Support website.

 

ZTE PSIRT

If you need to feedback or report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.

[Close]