Reflective XSS Vulnerability in ZTE ZXIPTV

Original release date:  July 15, 2021

 

CVE ID

CVE-2021-217378

 

CVSS 3.1 Base Score

2.9 LowAV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

 

Description

ZTE's big video business platform has two reflective cross-site scripting (XSS) vulnerabilities. Due to insufficient input verification, the attacker could implement XSS attacks by tampering with the parameters, to affect the operations of valid users.

 

Affected Products and Fixes

Product Name

Affected Version

Resolved Version

ZXIPTV

ZXIPTV-EAS_PV5.06.04.09

ZXIPTV-EAS-PV7.01.05.01

 

Source

The vulnerability was found by ZTE's internal test.

 

Update Records

July 15, 2021, initial. 

 

Supporting team contacts

1.  ZTE GCSC hotline:

0755-26770800

800-830-1118

400-830-1118

2.  Product forum at ZTE Support website. 

 

ZTE PSIRT

If you need to report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.