Details of VAR-202108-0467

ID

VAR-202108-0467

CVE

CVE-2021-21738

TITLE

ZTE ZXIPTV cross-site scripting vulnerability

Trust: 1.2

sources: CNVD: CNVD-2023-99927 // CNNVD: CNNVD-202108-464

DESCRIPTION

ZTE's big video business platform has two reflective cross-site scripting (XSS) vulnerabilities. Due to insufficient input verification, the attacker could implement XSS attacks by tampering with the parameters, to affect the operations of valid users. This affects: <ZXIPTV><ZXIPTV-EAS_PV5.06.04.09>. ZXIPTV Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. ZTE ZXIPTV is a set-top box from ZTE. ZTE ZXIPTV EAS_P version 5.06.04.09 has a cross-site scripting vulnerability. This vulnerability is caused by the application's lack of checksum of user input data to filter the input data. An attacker can exploit this vulnerability to lure users to click on a link containing a malicious request, causing code to be executed on the client side to steal user cookie credentials

Trust: 2.25

sources: NVD: CVE-2021-21738 // JVNDB: JVNDB-2021-009719 // CNVD: CNVD-2023-99927 // VULMON: CVE-2021-21738

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2023-99927

AFFECTED PRODUCTS

vendor:	zte	model:	zxiptv	scope:	eq	version:	zxiptv-eas_pv5.06.04.09	Trust: 1.0
vendor:	zte	model:	zxiptv	scope:	eq	version:	-eas_pv5.06.04.09	Trust: 0.8
vendor:	zte	model:	zxiptv	scope:	eq	version:	-	Trust: 0.8
vendor:	zte	model:	zxiptv	scope:	eq	version:	5.06.04.09	Trust: 0.6

sources: CNVD: CNVD-2023-99927 // JVNDB: JVNDB-2021-009719 // NVD: CVE-2021-21738

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-21738
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-21738
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2023-99927
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202108-464
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2021-21738
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-21738
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2023-99927
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-21738
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2021-21738
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2023-99927 // VULMON: CVE-2021-21738 // JVNDB: JVNDB-2021-009719 // CNNVD: CNNVD-202108-464 // NVD: CVE-2021-21738

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-009719 // NVD: CVE-2021-21738

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-464

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202108-464

PATCH

title:	Reflective XSS Vulnerability in ZTE ZXIPTV	url:	https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1016764	Trust: 0.8
title:	Patch for ZTE ZXIPTV cross-site scripting vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/508396	Trust: 0.6
title:	ZTE ZXIPTV Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=159855	Trust: 0.6

sources: CNVD: CNVD-2023-99927 // JVNDB: JVNDB-2021-009719 // CNNVD: CNNVD-202108-464

EXTERNAL IDS

db:	NVD	id:	CVE-2021-21738	Trust: 3.9
db:	ZTE	id:	1016764	Trust: 1.7
db:	JVNDB	id:	JVNDB-2021-009719	Trust: 0.8
db:	CNVD	id:	CNVD-2023-99927	Trust: 0.6
db:	CNNVD	id:	CNNVD-202108-464	Trust: 0.6
db:	VULMON	id:	CVE-2021-21738	Trust: 0.1

sources: CNVD: CNVD-2023-99927 // VULMON: CVE-2021-21738 // JVNDB: JVNDB-2021-009719 // CNNVD: CNNVD-202108-464 // NVD: CVE-2021-21738

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2021-21738	Trust: 2.0
url:	https://support.zte.com.cn/support/news/loopholeinfodetail.aspx?newsid=1016764	Trust: 1.7
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2023-99927 // VULMON: CVE-2021-21738 // JVNDB: JVNDB-2021-009719 // CNNVD: CNNVD-202108-464 // NVD: CVE-2021-21738

SOURCES

db:	CNVD	id:	CNVD-2023-99927
db:	VULMON	id:	CVE-2021-21738
db:	JVNDB	id:	JVNDB-2021-009719
db:	CNNVD	id:	CNNVD-202108-464
db:	NVD	id:	CVE-2021-21738

LAST UPDATE DATE

2024-08-14T14:03:06.594000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2023-99927	date:	2023-12-22T00:00:00
db:	VULMON	id:	CVE-2021-21738	date:	2021-08-12T00:00:00
db:	JVNDB	id:	JVNDB-2021-009719	date:	2022-05-18T02:04:00
db:	CNNVD	id:	CNNVD-202108-464	date:	2021-08-24T00:00:00
db:	NVD	id:	CVE-2021-21738	date:	2021-08-12T14:50:39.277

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2023-99927	date:	2023-12-22T00:00:00
db:	VULMON	id:	CVE-2021-21738	date:	2021-08-05T00:00:00
db:	JVNDB	id:	JVNDB-2021-009719	date:	2022-05-18T00:00:00
db:	CNNVD	id:	CNNVD-202108-464	date:	2021-08-05T00:00:00
db:	NVD	id:	CVE-2021-21738	date:	2021-08-05T20:15:07.660