SQL Injection Vulnerability in ZTE MF286R

Initial Release Date:  November 21, 2022

 

Vulnerability ID

CVE IDCVE-2022-39066         CNNVD IDCNNVD-2022-74781288 

 

CVSS 3.1 Base Score 

4.3 MediumAV:A/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

 

Description 

There is a SQL injection vulnerability in ZTE MF286R. Due to insufficient validation of the input parameters of the phonebook interface, an authenticated attacker could use the vulnerability to execute arbitrary SQL injection.

 

Affected Products and Fixes

Product Name

Affected Version

Resolved Version

MF286R

Nordic_MF286R_B06

Nordic_MF286R_B07

 

Acknowledgement

ZTE thanks Andrea Maugeri for paying attention to our products and cooperating with us to disclose vulnerabilities.

 

Update Records

November 21, 2022, initial.

 

Version Update Method

A device that supports automatic update can receive a pop-up update message. You can upgrade the device accordingly. If no update message is received, contact your service provider to obtain the update information.

 

Global Customer Support Center

http://support.zte.com.cn/support/web/Contact.aspx?_langType=en

 

ZTE PSIRT

https://www.zte.com.cn/global/cybersecurity/ztepsirt.html