CVE-2020-6879
Severity CVSS v4.0:
Pending analysis
Type:
CWE-20
Input Validation
Publication date:
19/11/2020
Last modified:
02/12/2020
Description
Some ZTE devices have input verification vulnerabilities. The devices support configuring a static prefix through the web management page. The restriction of the front-end code can be bypassed by constructing a POST request message and sending the request to the creation of a static routing rule configuration interface. The WEB service backend fails to effectively verify the abnormal input. As a result, the attacker can successfully use the vulnerability to tamper parameter values. This affects: ZXHN Z500 V1.0.0.2B1.1000 and ZXHN F670L V1.1.10P1N2E. This is fixed in ZXHN Z500 V1.0.1.1B1.1000 and ZXHN F670L V1.1.10P2N2.
Impact
Base Score 3.x
3.50
Severity 3.x
LOW
Base Score 2.0
2.70
Severity 2.0
LOW
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:zte:zxhn_z500_firmware:v1.0.0.2b1.1000:*:*:*:*:*:*:* | ||
| cpe:2.3:h:zte:zxhn_z500:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:zte:zxhn_f670l_firmware:v1.1.10p1n2e:*:*:*:*:*:*:* | ||
| cpe:2.3:h:zte:zxhn_f670l:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page