6.1

CVE-2020-6872

The server management software module of ZTE has a storage XSS vulnerability. The attacker inserts some attack codes through the foreground login page, which will cause the user to execute the predefined malicious script in the browser. This affects <R5300G4V03.08.0100/V03.07.0300/V03.07.0200/V03.07.0108/V03.07.0100/V03.05.0047/V03.05.0046/V03.05.0045/V03.05.0044/V03.05.0043/V03.05.0040/V03.04.0020;R8500G4V03.07.0103/V03.07.0101/V03.06.0100/V03.05.0400/V03.05.0020;R5500G4V03.08.0100/V03.07.0200/V03.07.0100/V03.06.0100>.

Data is provided by the National Vulnerability Database (NVD)
ZteR8500g4 Firmware Version03.05.0020
   ZteR8500g4 Version-
ZteR8500g4 Firmware Version03.05.0400
   ZteR8500g4 Version-
ZteR8500g4 Firmware Version03.06.0100
   ZteR8500g4 Version-
ZteR8500g4 Firmware Version03.07.0101
   ZteR8500g4 Version-
ZteR8500g4 Firmware Version03.07.0103
   ZteR8500g4 Version-
ZteR5500g4 Firmware Version03.06.0100
   ZteR5500g4 Version-
ZteR5500g4 Firmware Version03.07.0100
   ZteR5500g4 Version-
ZteR5500g4 Firmware Version03.07.0200
   ZteR5500g4 Version-
ZteR5500g4 Firmware Version03.08.0100
   ZteR5500g4 Version-
ZteR5300g4 Firmware Version03.04.0020
   ZteR5300g4 Version-
ZteR5300g4 Firmware Version03.05.0040
   ZteR5300g4 Version-
ZteR5300g4 Firmware Version03.05.0043
   ZteR5300g4 Version-
ZteR5300g4 Firmware Version03.05.0044
   ZteR5300g4 Version-
ZteR5300g4 Firmware Version03.05.0045
   ZteR5300g4 Version-
ZteR5300g4 Firmware Version03.05.0046
   ZteR5300g4 Version-
ZteR5300g4 Firmware Version03.05.0047
   ZteR5300g4 Version-
ZteR5300g4 Firmware Version03.07.0100
   ZteR5300g4 Version-
ZteR5300g4 Firmware Version03.07.0108
   ZteR5300g4 Version-
ZteR5300g4 Firmware Version03.07.0200
   ZteR5300g4 Version-
ZteR5300g4 Firmware Version03.07.0300
   ZteR5300g4 Version-
ZteR5300g4 Firmware Version03.08.0100
   ZteR5300g4 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.42% 0.59
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.