Details of VAR-202211-1527

ID

VAR-202211-1527

CVE

CVE-2022-39066

TITLE

ZTE MF286R SQL injection vulnerability

Trust: 1.2

sources: CNVD: CNVD-2022-85533 // CNNVD: CNNVD-202211-3316

DESCRIPTION

There is a SQL injection vulnerability in ZTE MF286R. Due to insufficient validation of the input parameters of the phonebook interface, an authenticated attacker could use the vulnerability to execute arbitrary SQL injection. ZTE MF286R is a wireless router made by China ZTE Corporation (ZTE)

Trust: 1.53

sources: NVD: CVE-2022-39066 // CNVD: CNVD-2022-85533 // VULMON: CVE-2022-39066

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-85533

AFFECTED PRODUCTS

vendor:	zte	model:	mf286r	scope:	lt	version:	mf286r_b07	Trust: 1.0
vendor:	zte	model:	mf286r <mf286r b07	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2022-85533 // NVD: CVE-2022-39066

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-39066
value:	HIGH
Trust: 1.0
CNVD:	CNVD-2022-85533
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202211-3316
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2022-85533
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-39066
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2022-85533 // CNNVD: CNNVD-202211-3316 // NVD: CVE-2022-39066

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.0

sources: NVD: CVE-2022-39066

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202211-3316

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202211-3316

PATCH

title:	Patch for ZTE MF286R SQL injection vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/365016	Trust: 0.6
title:	ZTE MF286R SQL Repair measures for injecting vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=215781	Trust: 0.6

sources: CNVD: CNVD-2022-85533 // CNNVD: CNNVD-202211-3316

EXTERNAL IDS

db:	ZTE	id:	1027744	Trust: 2.3
db:	NVD	id:	CVE-2022-39066	Trust: 2.3
db:	CNVD	id:	CNVD-2022-85533	Trust: 0.6
db:	CNNVD	id:	CNNVD-202211-3316	Trust: 0.6
db:	VULMON	id:	CVE-2022-39066	Trust: 0.1

sources: CNVD: CNVD-2022-85533 // VULMON: CVE-2022-39066 // CNNVD: CNNVD-202211-3316 // NVD: CVE-2022-39066

REFERENCES

url:	https://support.zte.com.cn/support/news/loopholeinfodetail.aspx?newsid=1027744	Trust: 2.3
url:	https://cxsecurity.com/cveshow/cve-2022-39066/	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2022-85533 // VULMON: CVE-2022-39066 // CNNVD: CNNVD-202211-3316 // NVD: CVE-2022-39066

SOURCES

db:	CNVD	id:	CNVD-2022-85533
db:	VULMON	id:	CVE-2022-39066
db:	CNNVD	id:	CNNVD-202211-3316
db:	NVD	id:	CVE-2022-39066

LAST UPDATE DATE

2024-08-14T14:37:10.521000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-85533	date:	2022-12-07T00:00:00
db:	VULMON	id:	CVE-2022-39066	date:	2022-11-22T00:00:00
db:	CNNVD	id:	CNNVD-202211-3316	date:	2022-12-01T00:00:00
db:	NVD	id:	CVE-2022-39066	date:	2022-11-30T13:32:37.447

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-85533	date:	2022-12-07T00:00:00
db:	VULMON	id:	CVE-2022-39066	date:	2022-11-22T00:00:00
db:	CNNVD	id:	CNNVD-202211-3316	date:	2022-11-22T00:00:00
db:	NVD	id:	CVE-2022-39066	date:	2022-11-22T17:15:10.017