Details of VAR-201907-0093

ID

VAR-201907-0093

CVE

CVE-2019-3414

TITLE

ZTE OTCP Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2019-006806

DESCRIPTION

All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front end does not process the returned result from the interface properly, the malicious script may be executed and the user cookie or other important information may be stolen. ZTE OTCP Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. ZTE OTCP is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. This may help the attacker steal cookie-based authentication credentials and launch other attacks. ZTE OTCP version 1.19.20.02 and prior are vulnerable. ZTE OTCP is a set of next-generation network management platform products of China ZTE Corporation (ZTE). The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Trust: 1.98

sources: NVD: CVE-2019-3414 // JVNDB: JVNDB-2019-006806 // BID: 109345 // VULHUB: VHN-154849

AFFECTED PRODUCTS

vendor:	zte	model:	otcp	scope:	lte	version:	1.19.20.02	Trust: 1.8
vendor:	zte	model:	otcp	scope:	eq	version:	1.19.20.02	Trust: 0.3
vendor:	zte	model:	otcp	scope:	ne	version:	1.19.20.03	Trust: 0.3

sources: BID: 109345 // JVNDB: JVNDB-2019-006806 // NVD: CVE-2019-3414

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-3414
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-3414
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201907-1189
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-154849
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2019-3414
severity:	LOW
baseScore:	2.3
vectorString:	AV:A/AC:M/AU:S/C:N/I:P/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	4.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-154849
severity:	LOW
baseScore:	2.3
vectorString:	AV:A/AC:M/AU:S/C:N/I:P/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	4.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-3414
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.7
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-154849 // JVNDB: JVNDB-2019-006806 // CNNVD: CNNVD-201907-1189 // NVD: CVE-2019-3414

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-154849 // JVNDB: JVNDB-2019-006806 // NVD: CVE-2019-3414

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201907-1189

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201907-1189

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-006806

PATCH

title:	Cross-Site Scripting Vulnerability in ZTE OTCP	url:	http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010883	Trust: 0.8
title:	ZTE OTCP Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=95358	Trust: 0.6

sources: JVNDB: JVNDB-2019-006806 // CNNVD: CNNVD-201907-1189

EXTERNAL IDS

db:	NVD	id:	CVE-2019-3414	Trust: 2.8
db:	ZTE	id:	1010883	Trust: 2.0
db:	JVNDB	id:	JVNDB-2019-006806	Trust: 0.8
db:	CNNVD	id:	CNNVD-201907-1189	Trust: 0.7
db:	BID	id:	109345	Trust: 0.3
db:	VULHUB	id:	VHN-154849	Trust: 0.1

sources: VULHUB: VHN-154849 // BID: 109345 // JVNDB: JVNDB-2019-006806 // CNNVD: CNNVD-201907-1189 // NVD: CVE-2019-3414

REFERENCES

url:	http://support.zte.com.cn/support/news/loopholeinfodetail.aspx?newsid=1010883	Trust: 2.0
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3414	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3414	Trust: 0.8
url:	https://www.zte.com.cn	Trust: 0.3

sources: VULHUB: VHN-154849 // BID: 109345 // JVNDB: JVNDB-2019-006806 // CNNVD: CNNVD-201907-1189 // NVD: CVE-2019-3414

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 109345

SOURCES

db:	VULHUB	id:	VHN-154849
db:	BID	id:	109345
db:	JVNDB	id:	JVNDB-2019-006806
db:	CNNVD	id:	CNNVD-201907-1189
db:	NVD	id:	CVE-2019-3414

LAST UPDATE DATE

2024-11-23T22:44:57.551000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-154849	date:	2019-07-25T00:00:00
db:	BID	id:	109345	date:	2019-06-26T00:00:00
db:	JVNDB	id:	JVNDB-2019-006806	date:	2019-07-29T00:00:00
db:	CNNVD	id:	CNNVD-201907-1189	date:	2019-07-26T00:00:00
db:	NVD	id:	CVE-2019-3414	date:	2024-11-21T04:42:03.223

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-154849	date:	2019-07-22T00:00:00
db:	BID	id:	109345	date:	2019-06-26T00:00:00
db:	JVNDB	id:	JVNDB-2019-006806	date:	2019-07-29T00:00:00
db:	CNNVD	id:	CNNVD-201907-1189	date:	2019-07-22T00:00:00
db:	NVD	id:	CVE-2019-3414	date:	2019-07-22T19:15:14.033