Vulnerability CVE-2018-7358


Published: 2018-11-14

Description:
ZTE ZXHN H168N product with versions V2.2.0_PK1.2T5, V2.2.0_PK1.2T2, V2.2.0_PK11T7 and V2.2.0_PK11T have an improper change control vulnerability, which may allow an unauthorized user to perform unauthorized operations.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
ZTE Home Gateway ZXHN H168N 2.2 Access Control Bypass
Usman Saeed
11.12.2018
High
ZTE ZXHN H168N Improper Access Restrictions
Usman
21.12.2018

Type:

CWE-287

(Improper Authentication)

Vendor: ZTE
Product: Zxhn h168n firmware 
Version:
2.2.0_pk11t7
2.2.0_pk11t
2.2.0_pk1.2t5
2.2.0_pk1.2t2

CVSS2 => (AV:A/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.8/10
6.4/10
6.5/10
Exploit range
Attack complexity
Authentication
Adjacent network
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009523
http://www.securityfocus.com/bid/105963
https://www.exploit-db.com/exploits/45972/

Related CVE
CVE-2019-3414
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code coul...
CVE-2019-3415
ZTE MW NR8000V2.4.4.03 and NR8000V2.4.4.04 are impacted by path traversal vulnerability. Due to path traversal,users can download any files.
CVE-2019-3413
All versions up to V20.18.40.R7.B1of ZTE NetNumen DAP product have an XSS vulnerability. Due to the lack of correct validation of client data in WEB applications, which results in users being hijacked.
CVE-2018-7365
All versions up to ZXCLOUD iRAI V5.01.05 of the ZTE uSmartView product are impacted by untrusted search path vulnerability, which may allow an unauthorized user to perform unauthorized operations.
CVE-2018-7364
All versions up to ZXINOS-RESV1.01.43 of the ZTE ZXIN10 product European region are impacted by improper access control vulnerability. Due to improper access control to devcomm process, an unauthorized remote attacker can exploit this vulnerability t...
CVE-2018-7361
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by null pointer dereference vulnerability, which may allows an attacker to cause a denial of service via appviahttp service.
CVE-2018-7359
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by heap-based buffer overflow vulnerability, which may allow an attacker to execute arbitrary code.
CVE-2018-7357
ZTE ZXHN H168N product with versions V2.2.0_PK1.2T5, V2.2.0_PK1.2T2, V2.2.0_PK11T7 and V2.2.0_PK11T have an improper access control vulnerability, which may allow an unauthorized user to gain unauthorized access.

Copyright 2019, cxsecurity.com

 

Back to Top