6 results (0.021 seconds)

CVSS: 7.5EPSS: 3%CPEs: 2EXPL: 2

connoppp.cgi on ZTE ZXDSL 831CII devices does not require HTTP Basic Authentication, which allows remote attackers to modify the PPPoE configuration or set up a malicious configuration via a GET request. connoppp.cgi en dispositivos ZTE ZXDSL 831CII no requiere autenticación básica HTTP, lo que permite que los atacantes remotos modifiquen la configuración PPPoE o realicen una configuración maliciosa mediante una petición GET. ZTE ZXDSL 831 suffers from an insecure direct object reference vulnerability. • https://www.exploit-db.com/exploits/43188 http://packetstormsecurity.com/files/145121/ZTE-ZXDSL-831-Unauthorized-Configuration-Access-Bypass.html http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1008762 • CWE-287: Improper Authentication •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

ZTE ZXDSL 831CII has a default password of admin for the admin account, which allows remote attackers to gain administrator privileges. ZTE ZXDSL 831CII tiene una contraseña de administración por defecto para la cuenta de administración, lo que permite a atacantes remotos ganar privilegios de administrador. ZTE 831CII suffers from cross site request forgery, hardcoded administrative credential, and cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/129016/ZTE-831CII-Hardcoded-Credential-XSS-CSRF.html • CWE-255: Credentials Management Errors •

CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1

Multiple cross-site request forgery (CSRF) vulnerabilities in ZTE ZXDSL 831CII allow remote attackers to hijack the authentication of administrators for requests that (1) change the admin user name or (2) conduct cross-site scripting (XSS) attacks via the sysUserName parameter in a save action to adminpasswd.cgi or (3) change the admin user password via the sysPassword parameter in a save action to adminpasswd.cgi. Múltiples vulnerabilidades de CSRF en ZTE ZXDSL 831CII permiten a atacantes remotos secuestrar la autenticación de los administradores para solicitudes que (1) cambian el nombre del usuario administrador o (2) realizan ataques XSS a través del parámetro sysUserName en una acción save (guardar) en adminpasswd.cgi o (3) cambian la contraseña del usuario de administración a través del parámetro sysPassword en una acción save (guardar) en adminpasswd.cgi. ZTE 831CII suffers from cross site request forgery, hardcoded administrative credential, and cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/129016/ZTE-831CII-Hardcoded-Credential-XSS-CSRF.html http://www.securityfocus.com/archive/1/533930/100/0/threaded http://www.securityfocus.com/bid/70984 https://exchange.xforce.ibmcloud.com/vulnerabilities/98585 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 2

Cross-site scripting (XSS) vulnerability in the Quick Stats page (psilan.cgi) in ZTE ZXDSL 831 and 831CII allows remote attackers to inject arbitrary web script or HTML via the domainname parameter in a save action. NOTE: this issue was SPLIT from CVE-2014-9021 per ADT1 due to different affected products and codebases. Una vulnerabilidad de XSS en la página Quick Stats (psilan.cgi) en ZTE ZXDSL 831 y 831CII permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro domainname en una acción save (guardar). NOTA: este problema fue separado (SPLIT) de CVE-2014-9021 por ADT1 debido a los diferentes productos y bases de código afectados. ZTE 831CII suffers from cross site request forgery, hardcoded administrative credential, and cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/129016/ZTE-831CII-Hardcoded-Credential-XSS-CSRF.html http://packetstormsecurity.com/files/129017/ZTE-ZXDSL-831-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/533930/100/0/threaded http://www.securityfocus.com/archive/1/533931/100/0/threaded http://www.securityfocus.com/bid/70984 http://www.securityfocus.com/bid/70985 https://exchange.xforce.ibmcloud.com/vulnerabilities/98584 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1

ZTE ZXDSL 831CII allows remote attackers to bypass authentication via a direct request to (1) main.cgi, (2) adminpasswd.cgi, (3) userpasswd.cgi, (4) upload.cgi, (5) conprocess.cgi, or (6) connect.cgi. ZTE ZXDSL 831CII permite a atacantes remotos evadir la autenticación a través de una solicitud directa a (1) main.cgi, (2) adminpasswd.cgi, (3) userpasswd.cgi, (4) upload.cgi, (5) conprocess.cgi, o (6) connect.cgi. ZTE ZXDSL 831CII suffers from an insecure direct object reference vulnerability that allows for authentication bypass. • http://packetstormsecurity.com/files/129015/ZTE-ZXDSL-831CII-Insecure-Direct-Object-Reference.html • CWE-287: Improper Authentication •