CVSS: 8.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-25651 – SQL Injection Vulnerability in Some ZTE Mobile Internet Products
https://notcve.org/view.php?id=CVE-2023-25651
There is a SQL injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to execute SQL injection and cause information leak. Existe una vulnerabilidad de inyección SQL en algunos productos de Internet móvil de ZTE. Debido a una validación de entrada insuficiente del parámetro de la interfaz SMS, un atacante autenticado podría utilizar la vulnerabilidad para ejecutar una inyección SQL y provocar una fuga de información. • https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032684 • CWE-20: Improper Input Validation CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-25650 – Arbitrary File Download Vulnerability in ZTE ZXCLOUD iRAI
https://notcve.org/view.php?id=CVE-2023-25650
There is an arbitrary file download vulnerability in ZXCLOUD iRAI. Since the backend does not escape special strings or restrict paths, an attacker with user permission could access the download interface by modifying the request parameter, causing arbitrary file downloads. Existe una vulnerabilidad de descarga de archivos arbitrarios en ZXCLOUD iRAI. Dado que el backend no escapa a cadenas especiales ni restringe rutas, un atacante con permiso del usuario podría acceder a la interfaz de descarga modificando el parámetro de solicitud, provocando descargas de archivos arbitrarias. • https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032904 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-25648 – Weak Folder Permission Vulnerability in ZTE ZXCLOUD iRAI
https://notcve.org/view.php?id=CVE-2023-25648
There is a weak folder permission vulnerability in ZTE's ZXCLOUD iRAI product. Due to weak folder permission, an attacker with ordinary user privileges could construct a fake DLL to execute command to escalate local privileges. Existe una vulnerabilidad de permiso de carpeta débil en el producto ZXCLOUD iRAI de ZTE. Debido a un permiso de carpeta débil, un atacante con privilegios de usuario normales podría construir una DLL falsa para ejecutar un comando para escalar los privilegios locales. • https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032584 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 4.7EPSS: 0%CPEs: 8EXPL: 0CVE-2023-25647 – Permission and Access Control Vulnerability in Some ZTE Mobile Phones
https://notcve.org/view.php?id=CVE-2023-25647
There is a permission and access control vulnerability in some ZTE mobile phones. Due to improper access control, applications in mobile phone could monitor the touch event. • https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032264 • CWE-269: Improper Privilege Management CWE-863: Incorrect Authorization •
CVSS: 7.7EPSS: 0%CPEs: 27EXPL: 0CVE-2023-25645
https://notcve.org/view.php?id=CVE-2023-25645
There is a permission and access control vulnerability in some ZTE AndroidTV STBs. Due to improper permission settings, non-privileged application can perform functions that are protected with signature/privilege-level permissions. Exploitation of this vulnerability could clear personal data and applications on the user's device, affecting device operation. • https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1031464 • CWE-276: Incorrect Default Permissions •