CVE-2014-8357 - backupsettings.html in the web administrative portal in Zhone zNID GPON 2426A before S3.0.501 places

CVE-2014-8357

Summary

backupsettings.html in the web administrative portal in Zhone zNID GPON 2426A before S3.0.501 places a session key in a URL, which allows remote attackers to obtain arbitrary user passwords via the sessionKey parameter in a getConfig action to backupsettings.conf.

References

Vulnerable Configurations

cpe:2.3:o:dasanzhone:znid_2426a_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:dasanzhone:znid_2426a_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:dasanzhone:znid_2426a:-:*:*:*:*:*:*:*
cpe:2.3:h:dasanzhone:znid_2426a:-:*:*:*:*:*:*:*

CVSS

Base:	4.0 (as of 09-10-2018 - 19:53)
Impact:
Exploitability:

CWE

CWE-255

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	SINGLE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:L/Au:S/C:P/I:N/A:N

refmap via4

bugtraq	20151012 Multiple Vulnerabilities found in ZHONE
exploit-db	38453
fulldisc	20151013 Vantage Point Security Advisory 2015-002
misc	http://packetstormsecurity.com/files/133921/Zhone-Insecure-Reference-Password-Disclosure-Command-Injection.html

Last major update

09-10-2018 - 19:53

Published

17-10-2017 - 16:29

Last modified

09-10-2018 - 19:53