Vulnerability CVE-2018-7358


Published: 2018-11-14

Description:
ZTE ZXHN H168N product with versions V2.2.0_PK1.2T5, V2.2.0_PK1.2T2, V2.2.0_PK11T7 and V2.2.0_PK11T have an improper change control vulnerability, which may allow an unauthorized user to perform unauthorized operations.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
ZTE Home Gateway ZXHN H168N 2.2 Access Control Bypass
Usman Saeed
11.12.2018
High
ZTE ZXHN H168N Improper Access Restrictions
Usman
21.12.2018

Type:

CWE-287

(Improper Authentication)

Vendor: ZTE
Product: Zxhn h168n firmware 
Version:
2.2.0_pk11t7
2.2.0_pk11t
2.2.0_pk1.2t5
2.2.0_pk1.2t2

CVSS2 => (AV:A/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.8/10
6.4/10
6.5/10
Exploit range
Attack complexity
Authentication
Adjacent network
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009523
http://www.securityfocus.com/bid/105963
https://www.exploit-db.com/exploits/45972/

Related CVE
CVE-2019-3413
All versions up to V20.18.40.R7.B1of ZTE NetNumen DAP product have an XSS vulnerability. Due to the lack of correct validation of client data in WEB applications, which results in users being hijacked.
CVE-2018-7365
All versions up to ZXCLOUD iRAI V5.01.05 of the ZTE uSmartView product are impacted by untrusted search path vulnerability, which may allow an unauthorized user to perform unauthorized operations.
CVE-2018-7364
All versions up to ZXINOS-RESV1.01.43 of the ZTE ZXIN10 product European region are impacted by improper access control vulnerability. Due to improper access control to devcomm process, an unauthorized remote attacker can exploit this vulnerability t...
CVE-2018-7361
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by null pointer dereference vulnerability, which may allows an attacker to cause a denial of service via appviahttp service.
CVE-2018-7359
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by heap-based buffer overflow vulnerability, which may allow an attacker to execute arbitrary code.
CVE-2018-7357
ZTE ZXHN H168N product with versions V2.2.0_PK1.2T5, V2.2.0_PK1.2T2, V2.2.0_PK11T7 and V2.2.0_PK11T have an improper access control vulnerability, which may allow an unauthorized user to gain unauthorized access.
CVE-2018-7356
All versions up to V3.03.10.B23P2 of ZTE ZXR10 8905E product are impacted by TCP Initial Sequence Number (ISN) reuse vulnerability, which can generate easily predictable ISN, and allows remote attackers to spoof connections.
CVE-2018-7355
All versions up to V1.0.0B05 of ZTE MF65 and all versions up to V1.0.0B02 of ZTE MF65M1 are impacted by cross-site scripting vulnerability. Due to improper neutralization of input during web page generation, an attacker could exploit this vulnerabili...

Copyright 2019, cxsecurity.com

 

Back to Top