Two Vulnerabilities in a ZTE BigVideo Analysis Product

Original release date: December 27, 2021

 

CVE ID

CVE-2021-21750

CVE-2021-21751

 

CVSS 3.1 Base Score

CVE-2021-21750: 7.8 High (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVE-2021-21751: 6.5 Medium (AV:A/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:H)

 

Description 

CVE-2021-21750: ZTE BigVideo Analysis product has a privilege escalation vulnerability. Due to improper management of the timed task modification privilege, an attacker with ordinary user permissions could exploit this vulnerability to gain unauthorized access.

CVE-2021-21751: ZTE BigVideo analysis product has an input verification vulnerability. Due to the inconsistency between the front and back verifications when configuring the large screen page, an attacker with high privileges could exploit this vulnerability to tamper with the URL and cause service exception.

 

Affected Products and Fixes

Product Name

Affected Version

Resolved Version

ZXIN10 CMS

 

All versions up to

ZXOMS-BIGDATA-IOPSWEBV3.01.01.04

ZXOMS-BIGDATA-IOPSWEBV8.01.01.01

  

Source

The vulnerability was found by ZTE's internal test.

 

Update Records

Decemberr 27, 2021, initial release

 

Version Update Method

Please contact ZTE Global Customer Support Center to obtain the upgraded version.

 

Global Customer Support Center

https://support.zte.com.cn/support/web/Contact.aspx?_langType=en

 

ZTE PSIRT

https://www.zte.com.cn/global/cybersecurity/ztepsirt.html