CVE-2019-3414 Information

Description

All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user the malicious script code could be transmitted in the parameter. If the front end does not process the returned result from the interface properly the malicious script may be executed and the user cookie or other important information may be stolen.

CVSS Vector

CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1010883

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

4.8