Sign-up

ID

VAR-202312-0369


CVE

CVE-2023-25651


TITLE

ZTE  of  mf833u1  firmware and  MF286R  in the firmware  SQL  Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2023-020051

DESCRIPTION

There is a SQL injection vulnerability in some ZTE mobile internet products.  Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to execute SQL injection and cause information leak. ZTE of mf833u1 firmware and MF286R The firmware has SQL There is an injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2023-25651 // JVNDB: JVNDB-2023-020051

AFFECTED PRODUCTS

vendor:ztemodel:mf833u1scope:eqversion:bd_mf833u1v1.0.0b01

Trust: 1.0

vendor:ztemodel:mf286rscope:eqversion:cr_lvwrgbmf286rv1.0.0b04

Trust: 1.0

vendor:ztemodel:mf286rscope: - version: -

Trust: 0.8

vendor:ztemodel:mf833u1scope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2023-020051 // NVD: CVE-2023-25651

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2023-25651
value: HIGH

Trust: 1.0

psirt@zte.com.cn: CVE-2023-25651
value: MEDIUM

Trust: 1.0

NVD: CVE-2023-25651
value: HIGH

Trust: 0.8

nvd@nist.gov: CVE-2023-25651
baseSeverity: HIGH
baseScore: 8.0
vectorString: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.1
impactScore: 5.9
version: 3.1

Trust: 1.0

psirt@zte.com.cn: CVE-2023-25651
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 0.9
impactScore: 3.4
version: 3.1

Trust: 1.0

NVD: CVE-2023-25651
baseSeverity: HIGH
baseScore: 8.0
vectorString: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2023-020051 // NVD: CVE-2023-25651 // NVD: CVE-2023-25651

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.0

problemtype:CWE-20

Trust: 1.0

problemtype:SQL injection (CWE-89) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-020051 // NVD: CVE-2023-25651

EXTERNAL IDS

db:NVDid:CVE-2023-25651

Trust: 2.6

db:ZTEid:1032684

Trust: 1.8

db:JVNDBid:JVNDB-2023-020051

Trust: 0.8

sources: JVNDB: JVNDB-2023-020051 // NVD: CVE-2023-25651

REFERENCES

url:https://support.zte.com.cn/support/news/loopholeinfodetail.aspx?newsid=1032684

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2023-25651

Trust: 0.8

sources: JVNDB: JVNDB-2023-020051 // NVD: CVE-2023-25651

SOURCES

db:JVNDBid:JVNDB-2023-020051
db:NVDid:CVE-2023-25651

LAST UPDATE DATE

2024-08-14T15:20:47.305000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2023-020051date:2024-01-16T01:02:00
db:NVDid:CVE-2023-25651date:2023-12-19T18:46:27.270

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2023-020051date:2024-01-16T00:00:00
db:NVDid:CVE-2023-25651date:2023-12-14T07:15:08.270