CVE-2019-3413 - OpenCVE

All versions up to V20.18.40.R7.B1of ZTE NetNumen DAP product have an XSS vulnerability. Due to the lack of correct validation of client data in WEB applications, which results in users being hijacked.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Zte	Netnumen Dap Firmware Netnumen Dap

Configuration 1 [-]

AND

cpe:2.3:o:zte:netnumen_dap_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:netnumen_dap:-:*:*:*:*:*:*:*

References

Link	Resource
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010797	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: zte

Published: 2019-06-11T19:52:50

Updated: 2019-06-11T19:52:50

Reserved: 2018-12-31T00:00:00

Link: CVE-2019-3413

JSON object: View

NVD Information

Status : Modified

Published: 2019-06-11T20:29:01.827

Modified: 2019-10-09T23:49:11.303

Link: CVE-2019-3413

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "NetNumen DAP", "vendor": "ZTE", "versions": [{"lessThanOrEqual": "All versions up to NetNumen DAP V20.18.40.R7.B1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2019-06-06T00:00:00", "descriptions": [{"lang": "en", "value": "All versions up to V20.18.40.R7.B1of ZTE NetNumen DAP product have an XSS vulnerability. Due to the lack of correct validation of client data in WEB applications, which results in users being hijacked."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Command Injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-11T19:52:50", "orgId": "6786b568-6808-4982-b61f-398b0d9679eb", "shortName": "zte"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010797"}], "source": {"discovery": "UNKNOWN"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@zte.com.cn", "ID": "CVE-2019-3413", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "NetNumen DAP", "version": {"version_data": [{"affected": "<=", "version_affected": "<=", "version_value": "All versions up to NetNumen DAP V20.18.40.R7.B1"}]}}]}, "vendor_name": "ZTE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "All versions up to V20.18.40.R7.B1of ZTE NetNumen DAP product have an XSS vulnerability. Due to the lack of correct validation of client data in WEB applications, which results in users being hijacked."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NONE", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "Medium", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Command Injection"}]}]}, "references": {"reference_data": [{"name": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010797", "refsource": "CONFIRM", "url": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010797"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", "assignerShortName": "zte", "cveId": "CVE-2019-3413", "datePublished": "2019-06-11T19:52:50", "dateReserved": "2018-12-31T00:00:00", "dateUpdated": "2019-06-11T19:52:50", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:netnumen_dap_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "39C2367D-0C65-4257-9D78-98893511B62C", "versionEndIncluding": "20.18.40.r7.b1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:netnumen_dap:-:*:*:*:*:*:*:*", "matchCriteriaId": "81D8DFDB-0AB1-42A8-BF7A-01231D258971", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "All versions up to V20.18.40.R7.B1of ZTE NetNumen DAP product have an XSS vulnerability. Due to the lack of correct validation of client data in WEB applications, which results in users being hijacked."}, {"lang": "es", "value": "Todas las versiones hasta V20.18.40.R7.B1 del producto ZTE NetNumen DAP tienen una vulnerabilidad de XSS. Debido a la falta de validaci\u00f3n correcta de los datos del cliente en las aplicaciones WEB, lo que hace que los usuarios sean secuestrados."}], "id": "CVE-2019-3413", "lastModified": "2019-10-09T23:49:11.303", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "psirt@zte.com.cn", "type": "Secondary"}]}, "published": "2019-06-11T20:29:01.827", "references": [{"source": "psirt@zte.com.cn", "tags": ["Vendor Advisory"], "url": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010797"}], "sourceIdentifier": "psirt@zte.com.cn", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}