CVE-2014-9021 – ZTE ZXDSL 831 Cross Site Scripting

https://notcve.org/view.php?id=CVE-2014-9021

Multiple cross-site scripting (XSS) vulnerabilities in ZTE ZXDSL 831 allow remote attackers to inject arbitrary web script or HTML via the (1) tr69cAcsURL, (2) tr69cAcsUser, (3) tr69cAcsPwd, (4) tr69cConnReqPwd, or (5) tr69cDebugEnable parameter to the TR-069 client page (tr69cfg.cgi); the (6) timezone parameter to the Time and date page (sntpcfg.sntp); or the (7) hostname parameter in a save action to the Quick Stats page (psilan.cgi). NOTE: this issue was SPLIT from CVE-2014-9020 per ADT1 due to different affected products and codebases. Múltiples vulnerabilidades de XSS en ZTE_ZXDSL 831 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro (1) tr69cAcsURL, (2) tr69cAcsUser, (3) tr69cAcsPwd, (4) tr69cConnReqPwd, o (5) tr69cDebugEnable en la página del cliente TR-069 (tr69cfg.cgi); el parámetro (6) timezone (sntpcfg.sntp); o el parámetro (7) hostname en una acción save (guardar) en la página Quick Stats (psilan.cgi). NOTA: este problema fue separado (SPLIT) de CVE-2014-9020 por ADT1 debido a los diferentes productos y bases de código afectados. ZTE ZXDSL 831 suffers from multiple cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/129017/ZTE-ZXDSL-831-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/533931/100/0/threaded http://www.securityfocus.com/bid/70985 https://exchange.xforce.ibmcloud.com/vulnerabilities/98565 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •