ID

VAR-202108-0467


CVE

CVE-2021-21738


TITLE

ZTE ZXIPTV cross-site scripting vulnerability

Trust: 1.2

sources: CNVD: CNVD-2023-99927 // CNNVD: CNNVD-202108-464

DESCRIPTION

ZTE's big video business platform has two reflective cross-site scripting (XSS) vulnerabilities. Due to insufficient input verification, the attacker could implement XSS attacks by tampering with the parameters, to affect the operations of valid users. This affects: <ZXIPTV><ZXIPTV-EAS_PV5.06.04.09>. ZXIPTV Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. ZTE ZXIPTV is a set-top box from ZTE. ZTE ZXIPTV EAS_P version 5.06.04.09 has a cross-site scripting vulnerability. This vulnerability is caused by the application's lack of checksum of user input data to filter the input data. An attacker can exploit this vulnerability to lure users to click on a link containing a malicious request, causing code to be executed on the client side to steal user cookie credentials

Trust: 2.25

sources: NVD: CVE-2021-21738 // JVNDB: JVNDB-2021-009719 // CNVD: CNVD-2023-99927 // VULMON: CVE-2021-21738

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2023-99927

AFFECTED PRODUCTS

vendor:ztemodel:zxiptvscope:eqversion:zxiptv-eas_pv5.06.04.09

Trust: 1.0

vendor:ztemodel:zxiptvscope:eqversion:-eas_pv5.06.04.09

Trust: 0.8

vendor:ztemodel:zxiptvscope:eqversion: -

Trust: 0.8

vendor:ztemodel:zxiptvscope:eqversion:5.06.04.09

Trust: 0.6

sources: CNVD: CNVD-2023-99927 // JVNDB: JVNDB-2021-009719 // NVD: CVE-2021-21738

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-21738
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-21738
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2023-99927
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202108-464
value: MEDIUM

Trust: 0.6

VULMON: CVE-2021-21738
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-21738
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2023-99927
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-21738
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2021-21738
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2023-99927 // VULMON: CVE-2021-21738 // JVNDB: JVNDB-2021-009719 // CNNVD: CNNVD-202108-464 // NVD: CVE-2021-21738

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.0

problemtype:Cross-site scripting (CWE-79) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-009719 // NVD: CVE-2021-21738

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-464

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202108-464

PATCH

title:Reflective XSS Vulnerability in ZTE ZXIPTVurl:https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1016764

Trust: 0.8

title:Patch for ZTE ZXIPTV cross-site scripting vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/508396

Trust: 0.6

title:ZTE ZXIPTV Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=159855

Trust: 0.6

sources: CNVD: CNVD-2023-99927 // JVNDB: JVNDB-2021-009719 // CNNVD: CNNVD-202108-464

EXTERNAL IDS

db:NVDid:CVE-2021-21738

Trust: 3.9

db:ZTEid:1016764

Trust: 1.7

db:JVNDBid:JVNDB-2021-009719

Trust: 0.8

db:CNVDid:CNVD-2023-99927

Trust: 0.6

db:CNNVDid:CNNVD-202108-464

Trust: 0.6

db:VULMONid:CVE-2021-21738

Trust: 0.1

sources: CNVD: CNVD-2023-99927 // VULMON: CVE-2021-21738 // JVNDB: JVNDB-2021-009719 // CNNVD: CNNVD-202108-464 // NVD: CVE-2021-21738

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2021-21738

Trust: 2.0

url:https://support.zte.com.cn/support/news/loopholeinfodetail.aspx?newsid=1016764

Trust: 1.7

url:https://cwe.mitre.org/data/definitions/79.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2023-99927 // VULMON: CVE-2021-21738 // JVNDB: JVNDB-2021-009719 // CNNVD: CNNVD-202108-464 // NVD: CVE-2021-21738

SOURCES

db:CNVDid:CNVD-2023-99927
db:VULMONid:CVE-2021-21738
db:JVNDBid:JVNDB-2021-009719
db:CNNVDid:CNNVD-202108-464
db:NVDid:CVE-2021-21738

LAST UPDATE DATE

2024-08-14T14:03:06.594000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2023-99927date:2023-12-22T00:00:00
db:VULMONid:CVE-2021-21738date:2021-08-12T00:00:00
db:JVNDBid:JVNDB-2021-009719date:2022-05-18T02:04:00
db:CNNVDid:CNNVD-202108-464date:2021-08-24T00:00:00
db:NVDid:CVE-2021-21738date:2021-08-12T14:50:39.277

SOURCES RELEASE DATE

db:CNVDid:CNVD-2023-99927date:2023-12-22T00:00:00
db:VULMONid:CVE-2021-21738date:2021-08-05T00:00:00
db:JVNDBid:JVNDB-2021-009719date:2022-05-18T00:00:00
db:CNNVDid:CNNVD-202108-464date:2021-08-05T00:00:00
db:NVDid:CVE-2021-21738date:2021-08-05T20:15:07.660