CVE-2024-22069

There is a permission and access control vulnerability of ZTE's ZXV10 XT802/ET301 product.Attackers with common permissions can log in the terminal web and change the password of the administrator illegally by intercepting requests to change the passwords.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1036424	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:zte:zxv10_et301_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:zxv10_et301:*:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:zte:zxv10_xt802_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zte:zxv10_xt802:*:*:*:*:*:*:*:*

History

20 Aug 2024, 17:22

Type	Values Removed	Values Added
First Time		Zte zxv10 Et301 Zte Zte zxv10 Xt802 Firmware Zte zxv10 Xt802 Zte zxv10 Et301 Firmware
CWE		NVD-CWE-noinfo
CVSS	v2 : ~~unknown~~ v3 : ~~7.1~~	v2 : unknown v3 : 8.8
References	~~() https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1036424 -~~	() https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1036424 - Vendor Advisory
CPE		cpe:2.3:o:zte:zxv10_xt802_firmware:::::::: cpe:2.3:h:zte:zxv10_xt802:::::::: cpe:2.3:o:zte:zxv10_et301_firmware:::::::: cpe:2.3:h:zte:zxv10_et301::::::::

08 Aug 2024, 13:04

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad de permiso y control de acceso del producto ZXV10 XT802/ET301 de ZTE. Los atacantes con permisos comunes pueden iniciar sesión en la web del terminal y cambiar la contraseña del administrador ilegalmente interceptando solicitudes para cambiar las contraseñas.

08 Aug 2024, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-08 08:15

Updated : 2024-08-20 17:22

NVD link : CVE-2024-22069

Mitre link : CVE-2024-22069

CVE.ORG link : CVE-2024-22069

JSON object : View

Products Affected

zte

zxv10_et301
zxv10_xt802_firmware
zxv10_et301_firmware
zxv10_xt802

CWE

NVD-CWE-noinfo CWE-269

Improper Privilege Management

{"id": "CVE-2024-22069", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "psirt@zte.com.cn", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.3, "exploitabilityScore": 1.3}]}, "published": "2024-08-08T08:15:05.123", "references": [{"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1036424", "tags": ["Vendor Advisory"], "source": "psirt@zte.com.cn"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "psirt@zte.com.cn", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "There is a permission and access control vulnerability of ZTE's ZXV10 XT802/ET301 product.Attackers with common permissions can log in the terminal web and change the password of the administrator illegally by intercepting requests to change the passwords."}, {"lang": "es", "value": "Existe una vulnerabilidad de permiso y control de acceso del producto ZXV10 XT802/ET301 de ZTE. Los atacantes con permisos comunes pueden iniciar sesi\u00f3n en la web del terminal y cambiar la contrase\u00f1a del administrador ilegalmente interceptando solicitudes para cambiar las contrase\u00f1as."}], "lastModified": "2024-08-20T17:22:39.500", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zte:zxv10_et301_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "186C3F1A-7F78-49C0-90E6-2BE0F886476B", "versionEndExcluding": "v3.22.11p3"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zte:zxv10_et301:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "0DEBA407-CA72-4047-AF67-04714058C326"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zte:zxv10_xt802_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3DD663A2-181C-40C4-920D-D81719C6195F", "versionEndExcluding": "v2.24.10p1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zte:zxv10_xt802:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "CF753B8F-BEAC-4095-8E7A-526A9B89049F"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "psirt@zte.com.cn"}