CVE-2018-7355 - OpenCVE

All versions up to V1.0.0B05 of ZTE MF65 and all versions up to V1.0.0B02 of ZTE MF65M1 are impacted by cross-site scripting vulnerability. Due to improper neutralization of input during web page generation, an attacker could exploit this vulnerability to conduct reflected XSS or HTML injection attacks on the devices.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Zte	Mf65 Mf65m1 Mf65m1 Firmware Mf65 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:zte:mf65_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:mf65:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:zte:mf65m1_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:mf65m1:-:*:*:*:*:*:*:*

References

Link	Resource
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009483	Vendor Advisory
https://www.exploit-db.com/exploits/46102/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: zte

Published: 2018-09-26T16:00:00

Updated: 2019-01-10T10:57:01

Reserved: 2018-02-22T00:00:00

Link: CVE-2018-7355

JSON object: View

NVD Information

Status : Modified

Published: 2018-09-26T16:29:01.673

Modified: 2019-01-10T11:29:12.220

Link: CVE-2018-7355

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "MF65", "vendor": "ZTE", "versions": [{"lessThanOrEqual": "V1.0.0B05", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "MF65M1", "vendor": "ZTE", "versions": [{"lessThanOrEqual": "V1.0.0B02", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2018-09-10T00:00:00", "descriptions": [{"lang": "en", "value": "All versions up to V1.0.0B05 of ZTE MF65 and all versions up to V1.0.0B02 of ZTE MF65M1 are impacted by cross-site scripting vulnerability. Due to improper neutralization of input during web page generation, an attacker could exploit this vulnerability to conduct reflected XSS or HTML injection attacks on the devices."}], "problemTypes": [{"descriptions": [{"description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-01-10T10:57:01", "orgId": "6786b568-6808-4982-b61f-398b0d9679eb", "shortName": "zte"}, "references": [{"name": "46102", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/46102/"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009483"}], "source": {"discovery": "EXTERNAL"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@zte.com.cn", "ID": "CVE-2018-7355", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MF65", "version": {"version_data": [{"affected": "<=", "version_affected": "<=", "version_value": "V1.0.0B05"}]}}, {"product_name": "MF65M1", "version": {"version_data": [{"affected": "<=", "version_affected": "<=", "version_value": "V1.0.0B02"}]}}]}, "vendor_name": "ZTE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "All versions up to V1.0.0B05 of ZTE MF65 and all versions up to V1.0.0B02 of ZTE MF65M1 are impacted by cross-site scripting vulnerability. Due to improper neutralization of input during web page generation, an attacker could exploit this vulnerability to conduct reflected XSS or HTML injection attacks on the devices."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "46102", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/46102/"}, {"name": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009483", "refsource": "CONFIRM", "url": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009483"}]}, "source": {"discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", "assignerShortName": "zte", "cveId": "CVE-2018-7355", "datePublished": "2018-09-26T16:00:00", "dateReserved": "2018-02-22T00:00:00", "dateUpdated": "2019-01-10T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:mf65_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "00C00C3B-6A05-460B-9836-A079862810CE", "versionEndIncluding": "1.0.0b05", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:mf65:-:*:*:*:*:*:*:*", "matchCriteriaId": "1F285860-8300-418C-BD17-73B91B89524C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:mf65m1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "AD080FF6-1A76-43DC-A774-7A4C367CA65C", "versionEndIncluding": "1.0.0b02", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:mf65m1:-:*:*:*:*:*:*:*", "matchCriteriaId": "0AB38DD0-13D5-4064-BE5C-2A7DCAF2FDF4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "All versions up to V1.0.0B05 of ZTE MF65 and all versions up to V1.0.0B02 of ZTE MF65M1 are impacted by cross-site scripting vulnerability. Due to improper neutralization of input during web page generation, an attacker could exploit this vulnerability to conduct reflected XSS or HTML injection attacks on the devices."}, {"lang": "es", "value": "Las versiones hasta la V1.0.0B05 de ZTE MF65 y todas las versiones hasta la V1.0.0B02 de ZTE MF65M1 se han visto impactadas por una vulnerabilidad de Cross-Site Scripting (XSS). Debido a la neutralizaci\u00f3n incorrecta de las entradas durante la generaci\u00f3n de p\u00e1ginas web, un atacante podr\u00eda explotar esta vulnerabilidad para realizar ataques de Cross-Site Scripting (XSS) reflejado o inyecci\u00f3n HTML en los dispositivos."}], "id": "CVE-2018-7355", "lastModified": "2019-01-10T11:29:12.220", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-09-26T16:29:01.673", "references": [{"source": "psirt@zte.com.cn", "tags": ["Vendor Advisory"], "url": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009483"}, {"source": "psirt@zte.com.cn", "url": "https://www.exploit-db.com/exploits/46102/"}], "sourceIdentifier": "psirt@zte.com.cn", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}