CVE-2014-9019

Multiple cross-site request forgery (CSRF) vulnerabilities in ZTE ZXDSL 831CII allow remote attackers to hijack the authentication of administrators for requests that (1) change the admin user name or (2) conduct cross-site scripting (XSS) attacks via the sysUserName parameter in a save action to adminpasswd.cgi or (3) change the admin user password via the sysPassword parameter in a save action to adminpasswd.cgi.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://packetstormsecurity.com/files/129016/ZTE-831CII-Hardcoded-Credential-XSS-CSRF.html	Exploit
http://www.securityfocus.com/archive/1/533930/100/0/threaded
http://www.securityfocus.com/bid/70984
https://exchange.xforce.ibmcloud.com/vulnerabilities/98585

Configurations

Configuration 1 (hide)

cpe:2.3:h:zte:zxdsl:831cii:*:*:*:*:*:*:*

History

No history.

Information

Published : 2014-11-20 17:50

Updated : 2018-10-09 19:54

NVD link : CVE-2014-9019

Mitre link : CVE-2014-9019

CVE.ORG link : CVE-2014-9019

JSON object : View

Products Affected

zte

zxdsl

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2014-9019", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2014-11-20T17:50:07.847", "references": [{"url": "http://packetstormsecurity.com/files/129016/ZTE-831CII-Hardcoded-Credential-XSS-CSRF.html", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/533930/100/0/threaded", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/70984", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98585", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ZTE ZXDSL 831CII allow remote attackers to hijack the authentication of administrators for requests that (1) change the admin user name or (2) conduct cross-site scripting (XSS) attacks via the sysUserName parameter in a save action to adminpasswd.cgi or (3) change the admin user password via the sysPassword parameter in a save action to adminpasswd.cgi."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de CSRF en ZTE ZXDSL 831CII permiten a atacantes remotos secuestrar la autenticaci\u00f3n de los administradores para solicitudes que (1) cambian el nombre del usuario administrador o (2) realizan ataques XSS a trav\u00e9s del par\u00e1metro sysUserName en una acci\u00f3n save (guardar) en adminpasswd.cgi o (3) cambian la contrase\u00f1a del usuario de administraci\u00f3n a trav\u00e9s del par\u00e1metro sysPassword en una acci\u00f3n save (guardar) en adminpasswd.cgi."}], "lastModified": "2018-10-09T19:54:53.277", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zte:zxdsl:831cii:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F26FA0A8-6EE1-496B-AF64-66302B8A91A2"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}