CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2014-9019 – ZTE 831CII Hardcoded Credential / XSS / CSRF
https://notcve.org/view.php?id=CVE-2014-9019
Multiple cross-site request forgery (CSRF) vulnerabilities in ZTE ZXDSL 831CII allow remote attackers to hijack the authentication of administrators for requests that (1) change the admin user name or (2) conduct cross-site scripting (XSS) attacks via the sysUserName parameter in a save action to adminpasswd.cgi or (3) change the admin user password via the sysPassword parameter in a save action to adminpasswd.cgi. Múltiples vulnerabilidades de CSRF en ZTE ZXDSL 831CII permiten a atacantes remotos secuestrar la autenticación de los administradores para solicitudes que (1) cambian el nombre del usuario administrador o (2) realizan ataques XSS a través del parámetro sysUserName en una acción save (guardar) en adminpasswd.cgi o (3) cambian la contraseña del usuario de administración a través del parámetro sysPassword en una acción save (guardar) en adminpasswd.cgi. ZTE 831CII suffers from cross site request forgery, hardcoded administrative credential, and cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/129016/ZTE-831CII-Hardcoded-Credential-XSS-CSRF.html http://www.securityfocus.com/archive/1/533930/100/0/threaded http://www.securityfocus.com/bid/70984 https://exchange.xforce.ibmcloud.com/vulnerabilities/98585 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 2CVE-2014-9020 – ZTE ZXDSL 831 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2014-9020
Cross-site scripting (XSS) vulnerability in the Quick Stats page (psilan.cgi) in ZTE ZXDSL 831 and 831CII allows remote attackers to inject arbitrary web script or HTML via the domainname parameter in a save action. NOTE: this issue was SPLIT from CVE-2014-9021 per ADT1 due to different affected products and codebases. Una vulnerabilidad de XSS en la página Quick Stats (psilan.cgi) en ZTE ZXDSL 831 y 831CII permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro domainname en una acción save (guardar). NOTA: este problema fue separado (SPLIT) de CVE-2014-9021 por ADT1 debido a los diferentes productos y bases de código afectados. ZTE 831CII suffers from cross site request forgery, hardcoded administrative credential, and cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/129016/ZTE-831CII-Hardcoded-Credential-XSS-CSRF.html http://packetstormsecurity.com/files/129017/ZTE-ZXDSL-831-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/533930/100/0/threaded http://www.securityfocus.com/archive/1/533931/100/0/threaded http://www.securityfocus.com/bid/70984 http://www.securityfocus.com/bid/70985 https://exchange.xforce.ibmcloud.com/vulnerabilities/98584 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2014-9184 – ZTE ZXDSL 831CII Insecure Direct Object Reference
https://notcve.org/view.php?id=CVE-2014-9184
ZTE ZXDSL 831CII allows remote attackers to bypass authentication via a direct request to (1) main.cgi, (2) adminpasswd.cgi, (3) userpasswd.cgi, (4) upload.cgi, (5) conprocess.cgi, or (6) connect.cgi. ZTE ZXDSL 831CII permite a atacantes remotos evadir la autenticación a través de una solicitud directa a (1) main.cgi, (2) adminpasswd.cgi, (3) userpasswd.cgi, (4) upload.cgi, (5) conprocess.cgi, o (6) connect.cgi. ZTE ZXDSL 831CII suffers from an insecure direct object reference vulnerability that allows for authentication bypass. • http://packetstormsecurity.com/files/129015/ZTE-ZXDSL-831CII-Insecure-Direct-Object-Reference.html • CWE-287: Improper Authentication •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 4CVE-2014-4155 – ZTE WXV10 W300 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-4155
Cross-site request forgery (CSRF) vulnerability in the ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK allows remote attackers to hijack the authentication of administrators for requests that change the admin password via a request to Forms/tools_admin_1. Vulnerabilidad de CSRF en el router ZTE ZXV10 W300 con firmware W300V1.0.0a_ZRD_LK permite a atacantes remotos secuestrar la autenticación de administradores para solicitudes que cambian la contraseña de administración a través de una solicitud hacia Forms/tools_admin_1. ZTE WXV10 W300 suffers from suffers from backup disclosure, cross site request forgery, denial of service, and file disclosure vulnerabilities. • https://www.exploit-db.com/exploits/33803 http://packetstormsecurity.com/files/127129/ZTE-WXV10-W300-Disclosure-CSRF-Default.html http://www.exploit-db.com/exploits/33803 https://osandamalith.wordpress.com/2014/06/15/zte-wxv10-w300-multiple-vulnerabilities • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 4CVE-2014-4018 – ZTE WXV10 W300 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-4018
The ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK has a default password of admin for the admin account, which makes it easier for remote attackers to obtain access via unspecified vectors. El router ZTE ZXV10 W300 con firmware W300V1.0.0a_ZRD_LK tiene una contraseña de administración por defecto para la cuenta de administración, lo que facilita a atacantes remotos obtener acceso a través de vectores no especificados. ZTE WXV10 W300 suffers from suffers from backup disclosure, cross site request forgery, denial of service, and file disclosure vulnerabilities. • https://www.exploit-db.com/exploits/33803 http://packetstormsecurity.com/files/127129/ZTE-WXV10-W300-Disclosure-CSRF-Default.html http://www.exploit-db.com/exploits/33803 https://osandamalith.wordpress.com/2014/06/15/zte-wxv10-w300-multiple-vulnerabilities • CWE-255: Credentials Management Errors •