CVE-2015-8703 – ZTE ZXHN H108N R1A / ZXV10 W300 Routers - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-8703
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE and ZXV10 W300 devices W300V1.0.0f_ER1_PE allow remote authenticated users to bypass intended access restrictions, and discover credentials and keys, by reading the configuration file, a different vulnerability than CVE-2015-7248. Dispositivos ZTE ZXHN H108N R1A en versiones anteriores a ZTE.bhs.ZXHNH108NR1A.k_PE y dispositivos ZXV10 W300 en versiones anteriores aW300V1.0.0f_ER1_PE permiten a usuarios remotos autenticados eludir las restricciones destinadas al acceso, y descubrir credenciales y claves, leyendo el archivo de configuración, una vulnerabilidad diferente a CVE-2015-7248. • https://www.exploit-db.com/exploits/38773 http://www.securityfocus.com/bid/77421 https://www.kb.cert.org/vuls/id/391604 https://www.kb.cert.org/vuls/id/BLUU-9ZDJWA • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2015-7257 – ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-7257
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated non-administrator users to change the admin password by intercepting an outgoing password change request, and changing the username parameter from "support" to "admin". Los modems ZTE ADSL ZXV10 W300, W300V2.1.0f_ER7_PE_O57 y W300V2.1.0h_ER7_PE_O57 permiten que usuarios sin privilegio de administrador, autenticados y remotos cambien la contraseña de administrador interceptando una petición saliente de cambio de contraseña y cambiando el parámetro username de "support" a "admin". ZTE ADSL ZXV10 W300 modems suffer from insufficient authorization controls, information disclosure, and a backdoor account feature. • https://www.exploit-db.com/exploits/38772 http://packetstormsecurity.com/files/134336/ZTE-ADSL-Authorization-Bypass-Information-Disclosure.html http://packetstormsecurity.com/files/134493/ZTE-ADSL-ZXV10-W300-Authorization-Disclosure-Backdoor.html http://seclists.org/fulldisclosure/2015/Nov/48 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVE-2015-7258 – ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-7258
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated users to obtain user passwords by displaying user information in a Telnet connection. Los modems ZTE ADSL ZXV10 W300, W300V2.1.0f_ER7_PE_O57 y W300V2.1.0h_ER7_PE_O57 permiten que usuarios remotos autenticados obtengan las contraseñas de usuario mostrando información de usuario en una conexión Telnet. ZTE ADSL ZXV10 W300 modems suffer from insufficient authorization controls, information disclosure, and a backdoor account feature. • https://www.exploit-db.com/exploits/38772 http://packetstormsecurity.com/files/134336/ZTE-ADSL-Authorization-Bypass-Information-Disclosure.html http://packetstormsecurity.com/files/134493/ZTE-ADSL-ZXV10-W300-Authorization-Disclosure-Backdoor.html http://seclists.org/fulldisclosure/2015/Nov/48 • CWE-255: Credentials Management Errors •
CVE-2015-7259 – ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-7259
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow user accounts to have multiple valid username and password pairs, which allows remote authenticated users to login to a target account via any of its username and password pairs. Los modems ZTE ADSL ZXV10 W300, W300V2.1.0f_ER7_PE_O57 y W300V2.1.0h_ER7_PE_O57 permiten que las cuentas de usuario tengan múltiples pares válidos de nombre de usuario y contraseña, lo que permite que usuarios remotos autenticados inicien sesión en una cuenta objetivo mediante cualquiera de sus pares de nombre de usuario y contraseña. ZTE ADSL ZXV10 W300 modems suffer from insufficient authorization controls, information disclosure, and a backdoor account feature. • https://www.exploit-db.com/exploits/38772 http://packetstormsecurity.com/files/134336/ZTE-ADSL-Authorization-Bypass-Information-Disclosure.html http://packetstormsecurity.com/files/134493/ZTE-ADSL-ZXV10-W300-Authorization-Disclosure-Backdoor.html http://seclists.org/fulldisclosure/2015/Nov/48 • CWE-255: Credentials Management Errors •
CVE-2014-4155 – ZTE WXV10 W300 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-4155
Cross-site request forgery (CSRF) vulnerability in the ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK allows remote attackers to hijack the authentication of administrators for requests that change the admin password via a request to Forms/tools_admin_1. Vulnerabilidad de CSRF en el router ZTE ZXV10 W300 con firmware W300V1.0.0a_ZRD_LK permite a atacantes remotos secuestrar la autenticación de administradores para solicitudes que cambian la contraseña de administración a través de una solicitud hacia Forms/tools_admin_1. ZTE WXV10 W300 suffers from suffers from backup disclosure, cross site request forgery, denial of service, and file disclosure vulnerabilities. • https://www.exploit-db.com/exploits/33803 http://packetstormsecurity.com/files/127129/ZTE-WXV10-W300-Disclosure-CSRF-Default.html http://www.exploit-db.com/exploits/33803 https://osandamalith.wordpress.com/2014/06/15/zte-wxv10-w300-multiple-vulnerabilities • CWE-352: Cross-Site Request Forgery (CSRF) •