XSS Vulnerability in ZTE ZXCDN

Original release date:  May 10, 2022

 

CVE ID

CVE-2022-23137

 

CVSS 3.1 Base Score 

5.7 Medium (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)

 

Description 

ZTE's ZXCDN product has a reflective XSS vulnerability. The attacker could modify the parameters in the content clearing request url, and when a user clicks the url, an XSS attack will be triggered.

 

Affected Products and Fixes

Product Name

Affected Version

Resolved Version

ZXCDN

ZXCDN-IAMV8.01.01.02 

ZXCDN-IAMV8.01.01.02 SP1

 

Source

The vulnerability was found by ZTE's internal test.

 

Update Records

May 10, 2022, initial.

June 27, 2022, updated affected version.

 

 Version Update Method

Please contact ZTE Global Customer Support Center to obtain the upgraded version.

 

Global Customer Support Center

http://support.zte.com.cn/support/web/Contact.aspx?_langType=en

 

ZTE PSIRT

https://www.zte.com.cn/global/cybersecurity/ztepsirt.html