CVE-2020-6872 : The server management software module of ZTE has a storage XSS vulnerability. Th

The server management software module of ZTE has a storage XSS vulnerability. The attacker inserts some attack codes through the foreground login page, which will cause the user to execute the predefined malicious script in the browser. This affects <R5300G4V03.08.0100/V03.07.0300/V03.07.0200/V03.07.0108/V03.07.0100/V03.05.0047/V03.05.0046/V03.05.0045/V03.05.0044/V03.05.0043/V03.05.0040/V03.04.0020;R8500G4V03.07.0103/V03.07.0101/V03.06.0100/V03.05.0400/V03.05.0020;R5500G4V03.08.0100/V03.07.0200/V03.07.0100/V03.06.0100>.

Published 2020-07-20 18:15:13

Updated 2020-07-24 14:01:40

Source ZTE Corporation

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2020-6872

ZTE » R8500g4 Firmware » Version: 03.05.0020
cpe:2.3:o:zte:r8500g4_firmware:03.05.0020:*:*:*:*:*:*:*
Matching versions
When used together with: ZTE » R8500g4 » Version: N/A
ZTE » R8500g4 Firmware » Version: 03.05.0400
cpe:2.3:o:zte:r8500g4_firmware:03.05.0400:*:*:*:*:*:*:*
Matching versions
When used together with: ZTE » R8500g4 » Version: N/A
ZTE » R8500g4 Firmware » Version: 03.06.0100
cpe:2.3:o:zte:r8500g4_firmware:03.06.0100:*:*:*:*:*:*:*
Matching versions
When used together with: ZTE » R8500g4 » Version: N/A
ZTE » R8500g4 Firmware » Version: 03.07.0101
cpe:2.3:o:zte:r8500g4_firmware:03.07.0101:*:*:*:*:*:*:*
Matching versions
When used together with: ZTE » R8500g4 » Version: N/A
ZTE » R8500g4 Firmware » Version: 03.07.0103
cpe:2.3:o:zte:r8500g4_firmware:03.07.0103:*:*:*:*:*:*:*
Matching versions
When used together with: ZTE » R8500g4 » Version: N/A
ZTE » R5500g4 Firmware » Version: 03.06.0100
cpe:2.3:o:zte:r5500g4_firmware:03.06.0100:*:*:*:*:*:*:*
Matching versions
When used together with: ZTE » R5500g4 » Version: N/A
ZTE » R5500g4 Firmware » Version: 03.07.0100
cpe:2.3:o:zte:r5500g4_firmware:03.07.0100:*:*:*:*:*:*:*
Matching versions
When used together with: ZTE » R5500g4 » Version: N/A
ZTE » R5500g4 Firmware » Version: 03.07.0200
cpe:2.3:o:zte:r5500g4_firmware:03.07.0200:*:*:*:*:*:*:*
Matching versions
When used together with: ZTE » R5500g4 » Version: N/A
ZTE » R5500g4 Firmware » Version: 03.08.0100
cpe:2.3:o:zte:r5500g4_firmware:03.08.0100:*:*:*:*:*:*:*
Matching versions
When used together with: ZTE » R5500g4 » Version: N/A
ZTE » R5300g4 Firmware » Version: 03.04.0020
cpe:2.3:o:zte:r5300g4_firmware:03.04.0020:*:*:*:*:*:*:*
Matching versions
When used together with: ZTE » R5300g4 » Version: N/A
ZTE » R5300g4 Firmware » Version: 03.05.0040
cpe:2.3:o:zte:r5300g4_firmware:03.05.0040:*:*:*:*:*:*:*
Matching versions
When used together with: ZTE » R5300g4 » Version: N/A
ZTE » R5300g4 Firmware » Version: 03.05.0043
cpe:2.3:o:zte:r5300g4_firmware:03.05.0043:*:*:*:*:*:*:*
Matching versions
When used together with: ZTE » R5300g4 » Version: N/A
ZTE » R5300g4 Firmware » Version: 03.05.0044
cpe:2.3:o:zte:r5300g4_firmware:03.05.0044:*:*:*:*:*:*:*
Matching versions
When used together with: ZTE » R5300g4 » Version: N/A
ZTE » R5300g4 Firmware » Version: 03.05.0045
cpe:2.3:o:zte:r5300g4_firmware:03.05.0045:*:*:*:*:*:*:*
Matching versions
When used together with: ZTE » R5300g4 » Version: N/A
ZTE » R5300g4 Firmware » Version: 03.05.0046
cpe:2.3:o:zte:r5300g4_firmware:03.05.0046:*:*:*:*:*:*:*
Matching versions
When used together with: ZTE » R5300g4 » Version: N/A
ZTE » R5300g4 Firmware » Version: 03.05.0047
cpe:2.3:o:zte:r5300g4_firmware:03.05.0047:*:*:*:*:*:*:*
Matching versions
When used together with: ZTE » R5300g4 » Version: N/A
ZTE » R5300g4 Firmware » Version: 03.07.0100
cpe:2.3:o:zte:r5300g4_firmware:03.07.0100:*:*:*:*:*:*:*
Matching versions
When used together with: ZTE » R5300g4 » Version: N/A
ZTE » R5300g4 Firmware » Version: 03.07.0108
cpe:2.3:o:zte:r5300g4_firmware:03.07.0108:*:*:*:*:*:*:*
Matching versions
When used together with: ZTE » R5300g4 » Version: N/A
ZTE » R5300g4 Firmware » Version: 03.07.0200
cpe:2.3:o:zte:r5300g4_firmware:03.07.0200:*:*:*:*:*:*:*
Matching versions
When used together with: ZTE » R5300g4 » Version: N/A
ZTE » R5300g4 Firmware » Version: 03.07.0300
cpe:2.3:o:zte:r5300g4_firmware:03.07.0300:*:*:*:*:*:*:*
Matching versions
When used together with: ZTE » R5300g4 » Version: N/A
ZTE » R5300g4 Firmware » Version: 03.08.0100
cpe:2.3:o:zte:r5300g4_firmware:03.08.0100:*:*:*:*:*:*:*
Matching versions
When used together with: ZTE » R5300g4 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2020-6872

EPSS FAQ

0.42%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 59 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-6872

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2020-6872

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-6872

http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1013203

Security Bulletin Details
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-6872

Products affected by CVE-2020-6872

Exploit prediction scoring system (EPSS) score for CVE-2020-6872

CVSS scores for CVE-2020-6872

CWE ids for CVE-2020-6872

References for CVE-2020-6872