CVSS: 7.7EPSS: 0%CPEs: 27EXPL: 0CVE-2023-25645
https://notcve.org/view.php?id=CVE-2023-25645
16 Jun 2023 — There is a permission and access control vulnerability in some ZTE AndroidTV STBs. Due to improper permission settings, non-privileged application can perform functions that are protected with signature/privilege-level permissions. Exploitation of this vulnerability could clear personal data and applications on the user's device, affecting device operation. • https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1031464 • CWE-276: Incorrect Default Permissions •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-25649 – OS Command Injection Vulnerability in a Mobile Internet Product of ZTE
https://notcve.org/view.php?id=CVE-2023-25649
07 Jun 2023 — There is a command injection vulnerability in a mobile internet product of ZTE. Due to insufficient validation of SET_DEVICE_LED interface parameter, an authenticated attacker could use the vulnerability to execute arbitrary commands. Existe una vulnerabilidad de inyección de comandos en un producto de Internet móvil de ZTE. Debido a la insuficiente validación del parámetro de interfaz SET_DEVICE_LED, un atacante autenticado podría utilizar la vulnerabilidad para ejecutar comandos arbitrarios. This vulnerab... • https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032544 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 3.3EPSS: 0%CPEs: 34EXPL: 0CVE-2022-39074
https://notcve.org/view.php?id=CVE-2022-39074
30 May 2023 — There is an unauthorized access vulnerability in some ZTE mobile phones. If a malicious application is installed on the phone, it could start a non-public interface of an application without user permission. • https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1030664 •
CVSS: 7.1EPSS: 0%CPEs: 34EXPL: 0CVE-2022-39071
https://notcve.org/view.php?id=CVE-2022-39071
30 May 2023 — There is an unauthorized access vulnerability in some ZTE mobile phones. If a malicious application is installed on the phone, it could overwrite some system configuration files and user installers without user permission. • https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1030664 •
CVSS: 7.1EPSS: 0%CPEs: 34EXPL: 0CVE-2022-39075
https://notcve.org/view.php?id=CVE-2022-39075
30 May 2023 — There is an unauthorized access vulnerability in some ZTE mobile phones. If a malicious application is installed on the phone, it could delete some system files without user permission. • https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1030664 •
CVSS: 6.7EPSS: 0%CPEs: 31EXPL: 0CVE-2022-21505 – kernel: lockdown bypass using IMA
https://notcve.org/view.php?id=CVE-2022-21505
20 Apr 2023 — In the linux kernel, if IMA appraisal is used with the "ima_appraise=log" boot param, lockdown can be defeated with kexec on any machine when Secure Boot is disabled or unavailable. IMA prevents setting "ima_appraise=log" from the boot param when Secure Boot is enabled, but this does not cover cases where lockdown is used without Secure Boot. CVSS 3.1 Base Score 6.7 (Confidentiality, Integrity, Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). An authentication bypass flaw ... • https://git.kernel.org/linus/543ce63b664e2c2f9533d089a4664b559c3e6b5b • CWE-305: Authentication Bypass by Primary Weakness CWE-346: Origin Validation Error •
CVSS: 10.0EPSS: 12%CPEs: 2EXPL: 1CVE-2022-39073
https://notcve.org/view.php?id=CVE-2022-39073
06 Jan 2023 — There is a command injection vulnerability in ZTE MF286R, Due to insufficient validation of the input parameters, an attacker could use the vulnerability to execute arbitrary commands. Existe una vulnerabilidad de inyección de comandos en ZTE MF286R. Debido a una validación insuficiente de los parámetros de entrada, un atacante podría utilizar la vulnerabilidad para ejecutar comandos arbitrarios. • https://github.com/v0lp3/CVE-2022-39073 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-39072
https://notcve.org/view.php?id=CVE-2022-39072
06 Jan 2023 — There is a SQL injection vulnerability in Some ZTE Mobile Internet products. Due to insufficient validation of the input parameters of the SNTP interface, an authenticated attacker could use the vulnerability to execute stored XSS attacks. • https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1028624 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 5%CPEs: 2EXPL: 1CVE-2022-45957
https://notcve.org/view.php?id=CVE-2022-45957
12 Dec 2022 — ZTE ZXHN-H108NS router with firmware version H108NSV1.0.7u_ZRD_GR2_A68 is vulnerable to remote stack buffer overflow. El enrutador ZTE ZXHN-H108NS con versión de firmware H108NSV1.0.7u_ZRD_GR2_A68 es vulnerable al desbordamiento de búfer en la región stack de la memoria. • https://packetstormsecurity.com/files/169949/ZTE-ZXHN-H108NS-Stack-Buffer-Overflow-Denial-Of-Service.html • CWE-787: Out-of-bounds Write •
CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23143
https://notcve.org/view.php?id=CVE-2022-23143
05 Dec 2022 — ZTE OTCP product is impacted by a permission and access control vulnerability. Due to improper permission settings, an attacker with high permissions could use this vulnerability to maliciously delete and modify files. El producto ZTE OTCP se ve afectado por una vulnerabilidad de control de permisos y acceso. Debido a una configuración de permisos incorrecta, un atacante con permisos elevados podría utilizar esta vulnerabilidad para eliminar y modificar archivos de forma maliciosa. • https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1026164 • CWE-732: Incorrect Permission Assignment for Critical Resource •