CSRF Vulnerability in A ZTE Product

Initial release date:  April 9, 2021

 

CVE ID

CVE-2021-21731

 

CVSS 3.1 Base Score

6.4 Medium(AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H)

 

Description

A CSRF vulnerability exists in the management page of a ZTE product.The vulnerability is caused because the management page does not fully verify whether the request comes from a trusted user. The attacker could submit a malicious request to the affected device to delete the data.

 

Affected Products and Fixes

Product Name

Affected Version

Resolved Version

ZXCLOUD iRAI

All versions up to KVM-ProductV6.03.04

KVM-ProductV6.03.04P1

 

Source

The vulnerability was found by ZTE's internal test.

 

Update Records

April 9, 2021, initial.

 

Supporting team contacts

1. ZTE GCSC hotline:

0755-26770800

800-830-1118

400-830-1118

2. Product forum at ZTE Support website.

 

ZTE PSIRT

If you need to report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.