CVE-2020-6872

20.07.2020, 18:15

The server management software module of ZTE has a storage XSS vulnerability. The attacker inserts some attack codes through the foreground login page, which will cause the user to execute the predefined malicious script in the browser. This affects <R5300G4V03.08.0100/V03.07.0300/V03.07.0200/V03.07.0108/V03.07.0100/V03.05.0047/V03.05.0046/V03.05.0045/V03.05.0044/V03.05.0043/V03.05.0040/V03.04.0020;R8500G4V03.07.0103/V03.07.0101/V03.06.0100/V03.05.0400/V03.05.0020;R5500G4V03.08.0100/V03.07.0200/V03.07.0100/V03.06.0100>.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.1 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
zte	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 61%

Vendor	Product	Version
zte	r8500g4_firmware	03.05.0020
zte	r8500g4_firmware	03.05.0400
zte	r8500g4_firmware	03.06.0100
zte	r8500g4_firmware	03.07.0101
zte	r8500g4_firmware	03.07.0103
zte	r5500g4_firmware	03.06.0100
zte	r5500g4_firmware	03.07.0100
zte	r5500g4_firmware	03.07.0200
zte	r5500g4_firmware	03.08.0100
zte	r5300g4_firmware	03.04.0020
zte	r5300g4_firmware	03.05.0040
zte	r5300g4_firmware	03.05.0043
zte	r5300g4_firmware	03.05.0044
zte	r5300g4_firmware	03.05.0045
zte	r5300g4_firmware	03.05.0046
zte	r5300g4_firmware	03.05.0047
zte	r5300g4_firmware	03.07.0100
zte	r5300g4_firmware	03.07.0108
zte	r5300g4_firmware	03.07.0200
zte	r5300g4_firmware	03.07.0300
zte	r5300g4_firmware	03.08.0100

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1013203