CVE-2022-39072 — MEDIUM (5.4)

Vulnerability Description

There is a SQL injection vulnerability in Some ZTE Mobile Internet products. Due to insufficient validation of the input parameters of the SNTP interface, an authenticated attacker could use the vulnerability to execute stored XSS attacks.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Zte	Mf286R Firmware	nordic_mf286r_b06
Zte	Mf286R	-
Zte	Mf289D Firmware	cr_tmoczmf289dv1.0.0b07
Zte	Mf289D	-

Related Weaknesses (CWE)

CWE-89

References

https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1028624Vendor Advisory
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1028624Vendor Advisory

FAQ

What is CVE-2022-39072?

CVE-2022-39072 is a vulnerability with a CVSS score of 5.4 (MEDIUM). There is a SQL injection vulnerability in Some ZTE Mobile Internet products. Due to insufficient validation of the input parameters of the SNTP interface, an authenticated attacker could use the vulne...

How severe is CVE-2022-39072?

CVE-2022-39072 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-39072?

Check the references section above for vendor advisories and patch information. Affected products include: Zte Mf286R Firmware, Zte Mf286R, Zte Mf289D Firmware, Zte Mf289D.