# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2021-21751 |
20 |
|
|
2021-12-27 |
2022-01-12 |
5.5 |
None |
Remote |
Low |
??? |
None |
Partial |
Partial |
ZTE BigVideo analysis product has an input verification vulnerability. Due to the inconsistency between the front and back verifications when configuring the large screen page, an attacker with high privileges could exploit this vulnerability to tamper with the URL and cause service exception. |
2 |
CVE-2021-21750 |
269 |
|
+Priv |
2021-12-27 |
2022-01-12 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
ZTE BigVideo Analysis product has a privilege escalation vulnerability. Due to improper management of the timed task modification privilege, an attacker with ordinary user permissions could exploit this vulnerability to gain unauthorized access. |
3 |
CVE-2021-21742 |
|
|
+Info |
2021-09-25 |
2021-09-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages. |
4 |
CVE-2021-21733 |
200 |
|
+Info |
2021-05-19 |
2021-05-28 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
The management system of ZXCDN is impacted by the information leak vulnerability. Attackers can make further analysis according to the information returned by the program, and then obtain some sensitive information. This affects ZXCDN V7.01 all versions up to IAMV7.01.01.02. |
5 |
CVE-2020-12695 |
276 |
|
|
2020-06-08 |
2021-04-23 |
7.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Complete |
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue. |
6 |
CVE-2020-6876 |
79 |
|
XSS |
2020-10-26 |
2020-10-30 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
A ZTE product is impacted by an XSS vulnerability. The vulnerability is caused by the lack of correct verification of client data in the WEB module. By inserting malicious scripts into the web module, a remote attacker could trigger an XSS attack when the user browses the web page. Then the attacker could use the vulnerability to steal user cookies or destroy the page structure. This affects: eVDC ZXCLOUD-iROSV6.03.04 |
7 |
CVE-2020-6869 |
200 |
|
+Info |
2020-06-17 |
2021-07-21 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
All versions up to 10.06 of ZTEMarket APK are impacted by an information leak vulnerability. Due to Activity Component exposure users can exploit this vulnerability to get the private cookie and execute silent installation. |
8 |
CVE-2020-6867 |
400 |
|
Overflow |
2020-04-30 |
2020-05-06 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
ZTE's SDON controller is impacted by the resource management error vulnerability. When RPC is frequently called by other applications in the case of mass traffic data in the system, it will result in no response for a long time and memory overflow risk. This affects: ZENIC ONE R22b versions V16.19.10P02SP002 and V16.19.10P02SP005. |
9 |
CVE-2020-6865 |
200 |
|
+Info |
2020-04-30 |
2020-05-05 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
ZTE SDN controller platform is impacted by an information leakage vulnerability. Due to the program's failure to optimize the response of failure to the request, the caller can directly view the internal error code location of the component. Attackers could exploit this vulnerability to obtain sensitive information. This affects: OSCP versions V16.19.10 and V16.19.20. |
10 |
CVE-2019-3431 |
522 |
|
|
2019-12-23 |
2021-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
All versions up to V4.01.01.02 of ZTE ZXCLOUD GoldenData VAP product have encryption problems vulnerability. Attackers could sniff unencrypted account and password through the network for front-end system access. |
11 |
CVE-2019-3430 |
200 |
|
+Info |
2019-12-23 |
2021-07-21 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
All versions up to V4.01.01.02 of ZTE ZXCLOUD GoldenData VAP product have an information disclosure vulnerability. Attackers could use this vulnerability to collect data information and damage the system. |
12 |
CVE-2019-3429 |
532 |
|
+Info |
2019-12-23 |
2019-12-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
All versions up to V4.01.01.02 of ZTE ZXCLOUD GoldenData VAP product have a file reading vulnerability. Attackers could obtain log file information without authorization, causing the disclosure of sensitive information. |
13 |
CVE-2018-7365 |
426 |
|
|
2018-12-20 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
All versions up to ZXCLOUD iRAI V5.01.05 of the ZTE uSmartView product are impacted by untrusted search path vulnerability, which may allow an unauthorized user to perform unauthorized operations. |
14 |
CVE-2018-7364 |
284 |
|
Exec Code |
2018-12-07 |
2019-10-09 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
All versions up to ZXINOS-RESV1.01.43 of the ZTE ZXIN10 product European region are impacted by improper access control vulnerability. Due to improper access control to devcomm process, an unauthorized remote attacker can exploit this vulnerability to execute arbitrary code with root privileges. |
15 |
CVE-2014-9184 |
287 |
|
Bypass |
2014-12-02 |
2014-12-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
ZTE ZXDSL 831CII allows remote attackers to bypass authentication via a direct request to (1) main.cgi, (2) adminpasswd.cgi, (3) userpasswd.cgi, (4) upload.cgi, (5) conprocess.cgi, or (6) connect.cgi. |
16 |
CVE-2014-9183 |
255 |
|
+Priv |
2014-12-02 |
2014-12-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
ZTE ZXDSL 831CII has a default password of admin for the admin account, which allows remote attackers to gain administrator privileges. |
17 |
CVE-2014-9020 |
79 |
|
XSS |
2014-11-20 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Quick Stats page (psilan.cgi) in ZTE ZXDSL 831 and 831CII allows remote attackers to inject arbitrary web script or HTML via the domainname parameter in a save action. NOTE: this issue was SPLIT from CVE-2014-9021 per ADT1 due to different affected products and codebases. |
18 |
CVE-2014-9019 |
352 |
|
XSS CSRF |
2014-11-20 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple cross-site request forgery (CSRF) vulnerabilities in ZTE ZXDSL 831CII allow remote attackers to hijack the authentication of administrators for requests that (1) change the admin user name or (2) conduct cross-site scripting (XSS) attacks via the sysUserName parameter in a save action to adminpasswd.cgi or (3) change the admin user password via the sysPassword parameter in a save action to adminpasswd.cgi. |
19 |
CVE-2014-2321 |
264 |
|
|
2014-03-11 |
2014-03-11 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests, as demonstrated by using "set TelnetCfg" commands to enable a TELNET service with specified credentials. |
20 |
CVE-2014-0329 |
255 |
|
|
2014-02-04 |
2017-08-29 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
The TELNET service on the ZTE ZXV10 W300 router 2.1.0 has a hardcoded password ending with airocon for the admin account, which allows remote attackers to obtain administrative access by leveraging knowledge of the MAC address characters present at the beginning of the password. |
21 |
CVE-2012-4746 |
352 |
1
|
CSRF |
2012-08-31 |
2012-09-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in accessaccount.cgi in ZTE ZXDSL 831IIV7.5.0a_Z29_OV allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via the sysPassword parameter. |