CVE-2018-7355 - OpenCVE

All versions up to V1.0.0B05 of ZTE MF65 and all versions up to V1.0.0B02 of ZTE MF65M1 are impacted by cross-site scripting vulnerability. Due to improper neutralization of input during web page generation, an attacker could exploit this vulnerability to conduct reflected XSS or HTML injection attacks on the devices.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zte	Mf65 Mf65 Firmware Mf65m1 Mf65m1 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:zte:mf65_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:mf65:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:zte:mf65m1_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:mf65m1:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009483
https://www.exploit-db.com/exploits/46102/

History

No history.

MITRE

Status: PUBLISHED

Assigner: zte

Published: 2018-09-26T16:00:00

Updated: 2024-08-05T06:24:11.940Z

Reserved: 2018-02-22T00:00:00

Link: CVE-2018-7355

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-09-26T16:29:01.673

Modified: 2019-01-10T11:29:12.220

Link: CVE-2018-7355

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "MF65", "vendor": "ZTE", "versions": [{"lessThanOrEqual": "V1.0.0B05", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "MF65M1", "vendor": "ZTE", "versions": [{"lessThanOrEqual": "V1.0.0B02", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2018-09-10T00:00:00", "descriptions": [{"lang": "en", "value": "All versions up to V1.0.0B05 of ZTE MF65 and all versions up to V1.0.0B02 of ZTE MF65M1 are impacted by cross-site scripting vulnerability. Due to improper neutralization of input during web page generation, an attacker could exploit this vulnerability to conduct reflected XSS or HTML injection attacks on the devices."}], "problemTypes": [{"descriptions": [{"description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-01-10T10:57:01", "orgId": "6786b568-6808-4982-b61f-398b0d9679eb", "shortName": "zte"}, "references": [{"name": "46102", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/46102/"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009483"}], "source": {"discovery": "EXTERNAL"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@zte.com.cn", "ID": "CVE-2018-7355", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MF65", "version": {"version_data": [{"affected": "<=", "version_affected": "<=", "version_value": "V1.0.0B05"}]}}, {"product_name": "MF65M1", "version": {"version_data": [{"affected": "<=", "version_affected": "<=", "version_value": "V1.0.0B02"}]}}]}, "vendor_name": "ZTE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "All versions up to V1.0.0B05 of ZTE MF65 and all versions up to V1.0.0B02 of ZTE MF65M1 are impacted by cross-site scripting vulnerability. Due to improper neutralization of input during web page generation, an attacker could exploit this vulnerability to conduct reflected XSS or HTML injection attacks on the devices."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "46102", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/46102/"}, {"name": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009483", "refsource": "CONFIRM", "url": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009483"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T06:24:11.940Z"}, "title": "CVE Program Container", "references": [{"name": "46102", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/46102/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009483"}]}]}, "cveMetadata": {"assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", "assignerShortName": "zte", "cveId": "CVE-2018-7355", "datePublished": "2018-09-26T16:00:00", "dateReserved": "2018-02-22T00:00:00", "dateUpdated": "2024-08-05T06:24:11.940Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:mf65_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "00C00C3B-6A05-460B-9836-A079862810CE", "versionEndIncluding": "1.0.0b05", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:mf65:-:*:*:*:*:*:*:*", "matchCriteriaId": "1F285860-8300-418C-BD17-73B91B89524C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:mf65m1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "AD080FF6-1A76-43DC-A774-7A4C367CA65C", "versionEndIncluding": "1.0.0b02", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:mf65m1:-:*:*:*:*:*:*:*", "matchCriteriaId": "0AB38DD0-13D5-4064-BE5C-2A7DCAF2FDF4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "All versions up to V1.0.0B05 of ZTE MF65 and all versions up to V1.0.0B02 of ZTE MF65M1 are impacted by cross-site scripting vulnerability. Due to improper neutralization of input during web page generation, an attacker could exploit this vulnerability to conduct reflected XSS or HTML injection attacks on the devices."}, {"lang": "es", "value": "Las versiones hasta la V1.0.0B05 de ZTE MF65 y todas las versiones hasta la V1.0.0B02 de ZTE MF65M1 se han visto impactadas por una vulnerabilidad de Cross-Site Scripting (XSS). Debido a la neutralizaci\u00f3n incorrecta de las entradas durante la generaci\u00f3n de p\u00e1ginas web, un atacante podr\u00eda explotar esta vulnerabilidad para realizar ataques de Cross-Site Scripting (XSS) reflejado o inyecci\u00f3n HTML en los dispositivos."}], "id": "CVE-2018-7355", "lastModified": "2019-01-10T11:29:12.220", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-09-26T16:29:01.673", "references": [{"source": "psirt@zte.com.cn", "tags": ["Vendor Advisory"], "url": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009483"}, {"source": "psirt@zte.com.cn", "url": "https://www.exploit-db.com/exploits/46102/"}], "sourceIdentifier": "psirt@zte.com.cn", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}