Vulnerability Description
ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain the PPPoE/PPPoA password via a direct request for basic/tc2wanfun.js.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zte | Zxv10 W300 Firmware | 1.0.0a_zrd_lk |
| Zte | Zxv10 W300 | - |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/127129/ZTE-WXV10-W300-Disclosure-CSRF-DefauExploit
- http://www.exploit-db.com/exploits/33803Exploit
- https://osandamalith.wordpress.com/2014/06/15/zte-wxv10-w300-multiple-vulnerabilExploit
- http://packetstormsecurity.com/files/127129/ZTE-WXV10-W300-Disclosure-CSRF-DefauExploit
- http://www.exploit-db.com/exploits/33803Exploit
- https://osandamalith.wordpress.com/2014/06/15/zte-wxv10-w300-multiple-vulnerabilExploit
FAQ
What is CVE-2014-4154?
CVE-2014-4154 is a vulnerability with a CVSS score of 5.0 (MEDIUM). ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain the PPPoE/PPPoA passwor...
How severe is CVE-2014-4154?
CVE-2014-4154 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-4154?
Check the references section above for vendor advisories and patch information. Affected products include: Zte Zxv10 W300 Firmware, Zte Zxv10 W300.