CVE-2020-6879 — LOW (3.5) — White Hats Nepal

Vulnerability Description

Some ZTE devices have input verification vulnerabilities. The devices support configuring a static prefix through the web management page. The restriction of the front-end code can be bypassed by constructing a POST request message and sending the request to the creation of a static routing rule configuration interface. The WEB service backend fails to effectively verify the abnormal input. As a result, the attacker can successfully use the vulnerability to tamper parameter values. This affects: ZXHN Z500 V1.0.0.2B1.1000 and ZXHN F670L V1.1.10P1N2E. This is fixed in ZXHN Z500 V1.0.1.1B1.1000 and ZXHN F670L V1.1.10P2N2.

CVSS Score

3.5

LOW

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Zte	Zxhn Z500 Firmware	v1.0.0.2b1.1000
Zte	Zxhn Z500	-
Zte	Zxhn F670L Firmware	v1.1.10p1n2e
Zte	Zxhn F670L	-

Related Weaknesses (CWE)

CWE-20

References

http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1013922Vendor Advisory
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1013922Vendor Advisory

FAQ

What is CVE-2020-6879?

CVE-2020-6879 is a vulnerability with a CVSS score of 3.5 (LOW). Some ZTE devices have input verification vulnerabilities. The devices support configuring a static prefix through the web management page. The restriction of the front-end code can be bypassed by cons...

How severe is CVE-2020-6879?

CVE-2020-6879 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-6879?

Check the references section above for vendor advisories and patch information. Affected products include: Zte Zxhn Z500 Firmware, Zte Zxhn Z500, Zte Zxhn F670L Firmware, Zte Zxhn F670L.