CVE-2023-25651 — MEDIUM (4.3)

Vulnerability Description

There is a SQL injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to execute SQL injection and cause information leak.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Zte	Mf833U1 Firmware	bd_mf833u1v1.0.0b01
Zte	Mf833U1	-
Zte	Mf286R Firmware	cr_lvwrgbmf286rv1.0.0b04
Zte	Mf286R	-

Related Weaknesses (CWE)

CWE-20 CWE-89

References

https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032684Vendor Advisory
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032684Vendor Advisory

FAQ

What is CVE-2023-25651?

CVE-2023-25651 is a vulnerability with a CVSS score of 4.3 (MEDIUM). There is a SQL injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to ...

How severe is CVE-2023-25651?

CVE-2023-25651 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-25651?

Check the references section above for vendor advisories and patch information. Affected products include: Zte Mf833U1 Firmware, Zte Mf833U1, Zte Mf286R Firmware, Zte Mf286R.