CVE-2020-6879

Severity Score

3.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Some ZTE devices have input verification vulnerabilities. The devices support configuring a static prefix through the web management page. The restriction of the front-end code can be bypassed by constructing a POST request message and sending the request to the creation of a static routing rule configuration interface. The WEB service backend fails to effectively verify the abnormal input. As a result, the attacker can successfully use the vulnerability to tamper parameter values. This affects: ZXHN Z500 V1.0.0.2B1.1000 and ZXHN F670L V1.1.10P1N2E. This is fixed in ZXHN Z500 V1.0.1.1B1.1000 and ZXHN F670L V1.1.10P2N2.

Algunos dispositivos ZTE presentan vulnerabilidades de comprobación de entrada. Los dispositivos admiten la configuración de un prefijo estático por medio de la página de administración web. La restricción del código de front-end se puede omitir al construir un mensaje de petición POST y mediante el envío de la petición a la creación de una interfaz de configuración de reglas de enrutamiento estático. El backend del servicio WEB no puede verificar eficazmente la entrada anormal. Como resultado, el atacante puede usar con éxito la vulnerabilidad para alterar los valores de los parámetros. Esto afecta a: ZXHN Z500 V1.0.0.2B1.1000 y ZXHN F670L V1.1.10P1N2E. Esto se corrige en ZXHN Z500 V1.0.1.1B1.1000 y ZXHN F670L V1.1.10P2N2

*Credits: N/A

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Adjacent

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-01-13 CVE Reserved
2020-11-19 CVE Published
2024-08-04 CVE Updated
2024-08-21 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1013922	2020-12-02

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Zte Search vendor "Zte"	Zxhn Z500 Firmware Search vendor "Zte" for product "Zxhn Z500 Firmware"	v1.0.0.2b1.1000 Search vendor "Zte" for product "Zxhn Z500 Firmware" and version "v1.0.0.2b1.1000"	-	Affected	in	Zte Search vendor "Zte"	Zxhn Z500 Search vendor "Zte" for product "Zxhn Z500"	-	-	Safe
Zte Search vendor "Zte"	Zxhn F670l Firmware Search vendor "Zte" for product "Zxhn F670l Firmware"	v1.1.10p1n2e Search vendor "Zte" for product "Zxhn F670l Firmware" and version "v1.1.10p1n2e"	-	Affected	in	Zte Search vendor "Zte"	Zxhn F670l Search vendor "Zte" for product "Zxhn F670l"	-	-	Safe