ID CVE-2014-8357
Summary backupsettings.html in the web administrative portal in Zhone zNID GPON 2426A before S3.0.501 places a session key in a URL, which allows remote attackers to obtain arbitrary user passwords via the sessionKey parameter in a getConfig action to backupsettings.conf.
References
Vulnerable Configurations
  • cpe:2.3:o:dasanzhone:znid_2426a_firmware:*:*:*:*:*:*:*:*
    cpe:2.3:o:dasanzhone:znid_2426a_firmware:*:*:*:*:*:*:*:*
  • cpe:2.3:h:dasanzhone:znid_2426a:-:*:*:*:*:*:*:*
    cpe:2.3:h:dasanzhone:znid_2426a:-:*:*:*:*:*:*:*
CVSS
Base: 4.0 (as of 09-10-2018 - 19:53)
Impact:
Exploitability:
CWE CWE-255
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:S/C:P/I:N/A:N
refmap via4
bugtraq 20151012 Multiple Vulnerabilities found in ZHONE
exploit-db 38453
fulldisc 20151013 Vantage Point Security Advisory 2015-002
misc http://packetstormsecurity.com/files/133921/Zhone-Insecure-Reference-Password-Disclosure-Command-Injection.html
Last major update 09-10-2018 - 19:53
Published 17-10-2017 - 16:29
Last modified 09-10-2018 - 19:53
Back to Top