CVE-2023-25651 - Vulnerability Details

Vendors	Products
Zte	Mf286r Mf286r Firmware Mf833u1 Mf833u1 Firmware

Link	Providers
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032684

Show plain JSON

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-25651", "assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", "state": "PUBLISHED", "assignerShortName": "zte", "dateReserved": "2023-02-09T19:47:48.023Z", "datePublished": "2023-12-14T07:03:54.704Z", "dateUpdated": "2024-08-02T11:25:19.271Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Linux"], "product": "Mobile Internet Products", "vendor": "ZTE", "versions": [{"lessThanOrEqual": "V1.0.0B01", "status": "affected", "version": "BD_MF833U1V1.0.0B01", "versionType": "V1.0.0B01"}, {"lessThanOrEqual": "V1.0.0B04", "status": "affected", "version": "CR_LVWRGBMF286RV1.0.0B04", "versionType": "V1.0.0B04"}]}], "datePublic": "2023-08-29T08:17:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nThere is a SQL injection vulnerability in some ZTE mobile internet&nbsp;products.&nbsp;Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to execute SQL injection and cause information leak.\n\n"}], "value": "\nThere is a SQL injection vulnerability in some ZTE mobile internet\u00a0products.\u00a0Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to execute SQL injection and cause information leak.\n\n"}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6786b568-6808-4982-b61f-398b0d9679eb", "shortName": "zte", "dateUpdated": "2023-12-14T08:17:53.412Z"}, "references": [{"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032684"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">BD_MF833U1V1.0.0B02,&nbsp;\n\n<span style=\"background-color: rgb(255, 255, 255);\">CR_LVWRGBMF286RV1.0.1B01</span>\n\n</span><br>"}], "value": "\nBD_MF833U1V1.0.0B02,\u00a0\n\nCR_LVWRGBMF286RV1.0.1B01\n\n\n"}], "source": {"discovery": "UNKNOWN"}, "title": "SQL Injection Vulnerability in Some ZTE Mobile Internet Products", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:25:19.271Z"}, "title": "CVE Program Container", "references": [{"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032684", "tags": ["x_transferred"]}]}]}}

{

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

cveMetadata : { »

cveId : CVE-2023-25651 (string)

assignerOrgId : 6786b568-6808-4982-b61f-398b0d9679eb (string)

state : PUBLISHED (string)

assignerShortName : zte (string)

dateReserved : 2023-02-09T19:47:48.023Z (string)

datePublished : 2023-12-14T07:03:54.704Z (string)

dateUpdated : 2024-08-02T11:25:19.271Z (string)

}

containers : { »

cna : { »

affected : [ »

0 : { »

defaultStatus : unaffected (string)

platforms : [ »

0 : Linux (string)

]

product : Mobile Internet Products (string)

vendor : ZTE (string)

versions : [ »

0 : { »

lessThanOrEqual : V1.0.0B01 (string)

status : affected (string)

version : BD_MF833U1V1.0.0B01 (string)

versionType : V1.0.0B01 (string)

}

1 : { »

lessThanOrEqual : V1.0.0B04 (string)

status : affected (string)

version : CR_LVWRGBMF286RV1.0.0B04 (string)

versionType : V1.0.0B04 (string)

}

]

}

]

datePublic : 2023-08-29T08:17:00.000Z (string)

descriptions : [ »

0 : { »

lang : en (string)

supportingMedia : [ »

0 : { »

base64 : false (boolean)

type : text/html (string)

value : There is a SQL injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to execute SQL injection and cause information leak. (string)

}

]

value : There is a SQL injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to execute SQL injection and cause information leak. (string)

}

]

impacts : [ »

0 : { »

capecId : CAPEC-66 (string)

descriptions : [ »

0 : { »

lang : en (string)

value : CAPEC-66 SQL Injection (string)

}

]

}

]

metrics : [ »

0 : { »

cvssV3_1 : { »

attackComplexity : LOW (string)

attackVector : ADJACENT_NETWORK (string)

availabilityImpact : LOW (string)

baseScore : 4.3 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : LOW (string)

privilegesRequired : HIGH (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L (string)

version : 3.1 (string)

}

format : CVSS (string)

scenarios : [ »

0 : { »

lang : en (string)

value : GENERAL (string)

}

]

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

cweId : CWE-20 (string)

description : CWE-20 Improper Input Validation (string)

lang : en (string)

type : CWE (string)

}

]

}

]

providerMetadata : { »

orgId : 6786b568-6808-4982-b61f-398b0d9679eb (string)

shortName : zte (string)

dateUpdated : 2023-12-14T08:17:53.412Z (string)

}

references : [ »

0 : { »

url : https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032684 (string)

}

]

solutions : [ »

0 : { »

lang : en (string)

supportingMedia : [ »

0 : { »

base64 : false (boolean)

type : text/html (string)

value : BD_MF833U1V1.0.0B02,  CR_LVWRGBMF286RV1.0.1B01 (string)

}

]

value : BD_MF833U1V1.0.0B02, CR_LVWRGBMF286RV1.0.1B01 (string)

}

]

source : { »

discovery : UNKNOWN (string)

}

title : SQL Injection Vulnerability in Some ZTE Mobile Internet Products (string)

x_generator : { »

engine : Vulnogram 0.1.0-dev (string)

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-02T11:25:19.271Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

url : https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032684 (string)

tags : [ »

0 : x_transferred (string)

]

}

]

}

]

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:mf833u1_firmware:bd_mf833u1v1.0.0b01:*:*:*:*:*:*:*", "matchCriteriaId": "3B96CCC0-355A-45D9-A0F1-73BFB6D841F7", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:mf833u1:-:*:*:*:*:*:*:*", "matchCriteriaId": "BCF9A3AC-95D3-4EF9-9681-737587284105", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:mf286r_firmware:cr_lvwrgbmf286rv1.0.0b04:*:*:*:*:*:*:*", "matchCriteriaId": "501A46C7-1325-44B1-81FC-8769181A5075", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:mf286r:-:*:*:*:*:*:*:*", "matchCriteriaId": "6AF5C7D2-70E8-4E1C-B712-7F9A026EAEC8", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "\nThere is a SQL injection vulnerability in some ZTE mobile internet\u00a0products.\u00a0Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to execute SQL injection and cause information leak.\n\n"}, {"lang": "es", "value": "Existe una vulnerabilidad de inyecci\u00f3n SQL en algunos productos de Internet m\u00f3vil de ZTE. Debido a una validaci\u00f3n de entrada insuficiente del par\u00e1metro de la interfaz SMS, un atacante autenticado podr\u00eda utilizar la vulnerabilidad para ejecutar una inyecci\u00f3n SQL y provocar una fuga de informaci\u00f3n."}], "id": "CVE-2023-25651", "lastModified": "2024-11-21T07:49:52.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 3.4, "source": "psirt@zte.com.cn", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-14T07:15:08.270", "references": [{"source": "psirt@zte.com.cn", "tags": ["Vendor Advisory"], "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032684"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032684"}], "sourceIdentifier": "psirt@zte.com.cn", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "psirt@zte.com.cn", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:o:zte:mf833u1_firmware:bd_mf833u1v1.0.0b01:*:*:*:*:*:*:* (string)

matchCriteriaId : 3B96CCC0-355A-45D9-A0F1-73BFB6D841F7 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

1 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:h:zte:mf833u1:-:*:*:*:*:*:*:* (string)

matchCriteriaId : BCF9A3AC-95D3-4EF9-9681-737587284105 (string)

vulnerable : false (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

operator : AND (string)

}

1 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:o:zte:mf286r_firmware:cr_lvwrgbmf286rv1.0.0b04:*:*:*:*:*:*:* (string)

matchCriteriaId : 501A46C7-1325-44B1-81FC-8769181A5075 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

1 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:h:zte:mf286r:-:*:*:*:*:*:*:* (string)

matchCriteriaId : 6AF5C7D2-70E8-4E1C-B712-7F9A026EAEC8 (string)

vulnerable : false (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

operator : AND (string)

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : There is a SQL injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to execute SQL injection and cause information leak. (string)

}

1 : { »

lang : es (string)

value : Existe una vulnerabilidad de inyección SQL en algunos productos de Internet móvil de ZTE. Debido a una validación de entrada insuficiente del parámetro de la interfaz SMS, un atacante autenticado podría utilizar la vulnerabilidad para ejecutar una inyección SQL y provocar una fuga de información. (string)

}

]

id : CVE-2023-25651 (string)

lastModified : 2024-11-21T07:49:52.290 (string)

metrics : { »

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : ADJACENT_NETWORK (string)

availabilityImpact : LOW (string)

baseScore : 4.3 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : LOW (string)

privilegesRequired : HIGH (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L (string)

version : 3.1 (string)

}

exploitabilityScore : 0.9 (number)

impactScore : 3.4 (number)

source : psirt@zte.com.cn (string)

type : Secondary (string)

}

1 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : ADJACENT_NETWORK (string)

availabilityImpact : HIGH (string)

baseScore : 8 (number)

baseSeverity : HIGH (string)

confidentialityImpact : HIGH (string)

integrityImpact : HIGH (string)

privilegesRequired : LOW (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (string)

version : 3.1 (string)

}

exploitabilityScore : 2.1 (number)

impactScore : 5.9 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2023-12-14T07:15:08.270 (string)

references : [ »

0 : { »

source : psirt@zte.com.cn (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032684 (string)

}

1 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032684 (string)

}

]

sourceIdentifier : psirt@zte.com.cn (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-20 (string)

}

]

source : psirt@zte.com.cn (string)

type : Secondary (string)

}

1 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-89 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object