OpenCVE

There is an unsafe DLL loading vulnerability in ZTE ZXCLOUD iRAI. Due to the program failed to adequately validate the user's input, an attacker could exploit this vulnerability to escalate local privileges.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zte	Zxcloud Irai Zxcloud Irai Firmware

Configuration 1 [-]

AND

cpe:2.3:o:zte:zxcloud_irai_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:zxcloud_irai:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1034404

History

No history.

MITRE

Status: PUBLISHED

Assigner: zte

Published: 2024-01-03T01:52:10.749Z

Updated: 2024-09-06T17:48:21.970Z

Reserved: 2023-09-01T09:02:00.657Z

Link: CVE-2023-41780

Vulnrichment

Updated: 2024-08-02T19:09:48.247Z

NVD

Status : Modified

Published: 2024-01-03T02:15:43.403

Modified: 2024-11-21T08:21:40.320

Link: CVE-2023-41780

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-41780", "assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", "state": "PUBLISHED", "assignerShortName": "zte", "dateReserved": "2023-09-01T09:02:00.657Z", "datePublished": "2024-01-03T01:52:10.749Z", "dateUpdated": "2024-09-06T17:48:21.970Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "ZXCLOUD iRAI", "vendor": "ZTE", "versions": [{"lessThanOrEqual": "7.23.23", "status": "affected", "version": "All versions up to 7.23.23", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>There is an unsafe DLL loading vulnerability in ZTE ZXCLOUD iRAI. Due to the  program  failed to adequately validate the user's input, an attacker could exploit this vulnerability  to escalate local privileges.</p><br>"}], "value": "There is an unsafe DLL loading vulnerability in ZTE ZXCLOUD iRAI. Due to the \u00a0program \u00a0failed to adequately validate the user's input, an attacker could exploit this vulnerability \u00a0to escalate local privileges.\n\n\n"}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6786b568-6808-4982-b61f-398b0d9679eb", "shortName": "zte", "dateUpdated": "2024-01-03T01:57:56.978Z"}, "references": [{"url": "https://https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1034404"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "7.23.32"}], "value": "7.23.32"}], "source": {"discovery": "EXTERNAL"}, "title": "Unsafe DLL Loading Vulnerability in ZTE ZXCLOUD iRAI", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:09:48.247Z"}, "title": "CVE Program Container", "references": [{"url": "https://https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1034404", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "zte", "product": "zxcloud_irai_firmware", "cpes": ["cpe:2.3:o:zte:zxcloud_irai_firmware:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "7.23.23", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-08T20:33:26.874082Z", "id": "CVE-2023-41780", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-06T17:48:21.970Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1034404", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:09:48.247Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-41780", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-03-08T20:33:26.874082Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:zte:zxcloud_irai_firmware:*:*:*:*:*:*:*:*"], "vendor": "zte", "product": "zxcloud_irai_firmware", "versions": [{"status": "affected", "version": "0", "lessThan": "7.23.23", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-06T17:48:16.683Z"}}], "cna": {"title": "Unsafe DLL Loading Vulnerability in ZTE ZXCLOUD iRAI", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ZTE", "product": "ZXCLOUD iRAI", "versions": [{"status": "affected", "version": "All versions up to 7.23.23", "versionType": "custom", "lessThanOrEqual": "7.23.23"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "7.23.32", "supportingMedia": [{"type": "text/html", "value": "7.23.32", "base64": false}]}], "references": [{"url": "https://https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1034404"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "There is an unsafe DLL loading vulnerability in ZTE ZXCLOUD iRAI. Due to the \u00a0program \u00a0failed to adequately validate the user's input, an attacker could exploit this vulnerability \u00a0to escalate local privileges.\n\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>There is an unsafe DLL loading vulnerability in ZTE ZXCLOUD iRAI. Due to the  program  failed to adequately validate the user's input, an attacker could exploit this vulnerability  to escalate local privileges.</p><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "6786b568-6808-4982-b61f-398b0d9679eb", "shortName": "zte", "dateUpdated": "2024-01-03T01:57:56.978Z"}}}, "cveMetadata": {"cveId": "CVE-2023-41780", "state": "PUBLISHED", "dateUpdated": "2024-09-06T17:48:21.970Z", "dateReserved": "2023-09-01T09:02:00.657Z", "assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", "datePublished": "2024-01-03T01:52:10.749Z", "assignerShortName": "zte"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zte:zxcloud_irai_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "FC0DCC6B-32B8-4C28-BDAF-37604BA1ABFC", "versionEndExcluding": "7.23.32", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zte:zxcloud_irai:-:*:*:*:*:*:*:*", "matchCriteriaId": "6D48BE8C-7C78-41D7-87F1-22BFB91E3A5C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "There is an unsafe DLL loading vulnerability in ZTE ZXCLOUD iRAI. Due to the \u00a0program \u00a0failed to adequately validate the user's input, an attacker could exploit this vulnerability \u00a0to escalate local privileges.\n\n\n"}, {"lang": "es", "value": "Existe una vulnerabilidad de carga de DLL insegura en ZTE ZXCLOUD iRAI. Debido a que el programa no pudo validar adecuadamente la entrada del usuario, un atacante podr\u00eda aprovechar esta vulnerabilidad para escalar los privilegios locales."}], "id": "CVE-2023-41780", "lastModified": "2024-11-21T08:21:40.320", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.9, "source": "psirt@zte.com.cn", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-03T02:15:43.403", "references": [{"source": "psirt@zte.com.cn", "tags": ["Broken Link", "Vendor Advisory"], "url": "https://https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1034404"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Vendor Advisory"], "url": "https://https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1034404"}], "sourceIdentifier": "psirt@zte.com.cn", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "psirt@zte.com.cn", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-427"}], "source": "nvd@nist.gov", "type": "Primary"}]}