VAR-201411-0113
Vulnerability from variot - Updated: 2025-04-13 23:26Multiple cross-site request forgery (CSRF) vulnerabilities in ZTE ZXDSL 831CII allow remote attackers to hijack the authentication of administrators for requests that (1) change the admin user name or (2) conduct cross-site scripting (XSS) attacks via the sysUserName parameter in a save action to adminpasswd.cgi or (3) change the admin user password via the sysPassword parameter in a save action to adminpasswd.cgi. The ZTE 831CII is a router device. ZTE 831CII is prone to the following security vulnerabilities: 1. An HTML-injection vulnerability 2. A cross-site request-forgery vulnerability 3. An unspecified clickjacking vulnerability 4. An information-disclosure vulnerability 5. Other attacks are also possible. ZTE ZXDSL 831CII is an ADSL modem (Modem) product of China ZTE Corporation (ZTE). The vulnerability comes from the fact that the adminpasswd.cgi file does not fully filter the 'sysUserName' and 'sysPassword' parameters when the program executes the save operation. Hardcoded default misconfiguration - The modem comes with admin:admin user credintials.
Stored XSS - http://192.168.1.1/psilan.cgi?action=saveðIpAddress=192.168.1.1ðSubnetMask=255.255.255.0&hostname=ZXDSL83C1II&domainname=home%27;alert%280%29;//&enblUpnp=1&enblLan2=0 Any user browsing to http://192.168.1.1/main.html will have a stored xss executed!
CSRF based Stored XSS - http://192.168.1.1/adminpasswd.cgi?action=save&sysUserName=%27;alert%280%29;//&sysPassword=37F6E6F627B6 - letting an admin visit this link would result the admin username changed to ';alert(0);// also a stored XSS in the home page.
CSRF - there is no token/capcha or even current password prompt when the admin changes the password, and creditintials are sent over GET. PoC: http://192.168.1.1/adminpasswd.cgi?action=save&sysUserName=admin&sysPassword=F6C656269697 if an authenticated admin browses that link their credintials will become admin:yibelo
UI Redressing - The modem (like most modems) does not have a clickjacking protection. thus, can be used to modify settings, override admin accounts by a simple clickjack. forexample by using http://192.168.1.1/adminpasswd.html it is possible into tricking an admin submit a form with our credintials (since it doesn't require current password)
not using SSL - The modem does not use HTTPS, so anyone can use MiTM to sniff on going actions, possibly gain user credintials.
Unrestricted privileges - anyone who is connected to the modem with Telnet or tftp is root. simply telneting and authenticating as admin:admin and typing sh and echo $USER would prove that
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201411-0113",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "zxdsl",
"scope": "eq",
"trust": 2.4,
"vendor": "zte",
"version": "831cii"
},
{
"model": "831cii",
"scope": null,
"trust": 0.6,
"vendor": "zte",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-08309"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005570"
},
{
"db": "CNNVD",
"id": "CNNVD-201411-230"
},
{
"db": "NVD",
"id": "CVE-2014-9019"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/h:zte:zxdsl",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-005570"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "habte.yibelo",
"sources": [
{
"db": "BID",
"id": "70984"
},
{
"db": "CNNVD",
"id": "CNNVD-201411-230"
}
],
"trust": 0.9
},
"cve": "CVE-2014-9019",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2014-9019",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2014-08309",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-76964",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2014-9019",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2014-9019",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2014-08309",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201411-230",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-76964",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-08309"
},
{
"db": "VULHUB",
"id": "VHN-76964"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005570"
},
{
"db": "CNNVD",
"id": "CNNVD-201411-230"
},
{
"db": "NVD",
"id": "CVE-2014-9019"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Multiple cross-site request forgery (CSRF) vulnerabilities in ZTE ZXDSL 831CII allow remote attackers to hijack the authentication of administrators for requests that (1) change the admin user name or (2) conduct cross-site scripting (XSS) attacks via the sysUserName parameter in a save action to adminpasswd.cgi or (3) change the admin user password via the sysPassword parameter in a save action to adminpasswd.cgi. The ZTE 831CII is a router device. ZTE 831CII is prone to the following security vulnerabilities:\n1. An HTML-injection vulnerability\n2. A cross-site request-forgery vulnerability\n3. An unspecified clickjacking vulnerability\n4. An information-disclosure vulnerability\n5. Other attacks are also possible. ZTE ZXDSL 831CII is an ADSL modem (Modem) product of China ZTE Corporation (ZTE). The vulnerability comes from the fact that the adminpasswd.cgi file does not fully filter the \u0027sysUserName\u0027 and \u0027sysPassword\u0027 parameters when the program executes the save operation. Hardcoded default misconfiguration - The modem comes with admin:admin user credintials. \n\nStored XSS - http://192.168.1.1/psilan.cgi?action=save\u0026ethIpAddress=192.168.1.1\u0026ethSubnetMask=255.255.255.0\u0026hostname=ZXDSL83C1II\u0026domainname=home%27;alert%280%29;//\u0026enblUpnp=1\u0026enblLan2=0\nAny user browsing to http://192.168.1.1/main.html will have a stored xss executed!\n\nCSRF based Stored XSS - http://192.168.1.1/adminpasswd.cgi?action=save\u0026sysUserName=%27;alert%280%29;//\u0026sysPassword=37F6E6F627B6 - letting an admin visit this link would result the admin username changed to \u0027;alert(0);// also a stored XSS in the home page. \n\nCSRF - there is no token/capcha or even current password prompt when the admin changes the password, and creditintials are sent over GET. PoC: http://192.168.1.1/adminpasswd.cgi?action=save\u0026sysUserName=admin\u0026sysPassword=F6C656269697\nif an authenticated admin browses that link their credintials will become admin:yibelo\n\nUI Redressing - The modem (like most modems) does not have a clickjacking protection. thus, can be used to modify settings, override admin accounts by a simple clickjack. forexample by using http://192.168.1.1/adminpasswd.html it is possible into tricking an admin submit a form with our credintials (since it doesn\u0027t require current password)\n\nnot using SSL - The modem does not use HTTPS, so anyone can use MiTM to sniff on going actions, possibly gain user credintials. \n\nUnrestricted privileges - anyone who is connected to the modem with Telnet or tftp is root. simply telneting and authenticating as admin:admin and typing sh and echo $USER would prove that",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-9019"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005570"
},
{
"db": "CNVD",
"id": "CNVD-2014-08309"
},
{
"db": "BID",
"id": "70984"
},
{
"db": "VULHUB",
"id": "VHN-76964"
},
{
"db": "PACKETSTORM",
"id": "129016"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2014-9019",
"trust": 3.5
},
{
"db": "BID",
"id": "70984",
"trust": 2.6
},
{
"db": "PACKETSTORM",
"id": "129016",
"trust": 1.8
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005570",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201411-230",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2014-08309",
"trust": 0.6
},
{
"db": "XF",
"id": "98585",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-76964",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-08309"
},
{
"db": "VULHUB",
"id": "VHN-76964"
},
{
"db": "BID",
"id": "70984"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005570"
},
{
"db": "PACKETSTORM",
"id": "129016"
},
{
"db": "CNNVD",
"id": "CNNVD-201411-230"
},
{
"db": "NVD",
"id": "CVE-2014-9019"
}
]
},
"id": "VAR-201411-0113",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-08309"
},
{
"db": "VULHUB",
"id": "VHN-76964"
}
],
"trust": 1.5076923199999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-08309"
}
]
},
"last_update_date": "2025-04-13T23:26:47.923000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://wwwen.zte.com.cn/en/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-005570"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-352",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-76964"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005570"
},
{
"db": "NVD",
"id": "CVE-2014-9019"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/70984"
},
{
"trust": 1.7,
"url": "http://packetstormsecurity.com/files/129016/zte-831cii-hardcoded-credential-xss-csrf.html"
},
{
"trust": 1.4,
"url": "http://www.securityfocus.com/archive/1/archive/1/533930/100/0/threaded"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/533930/100/0/threaded"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98585"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-9019"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-9019"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/bid/70984/"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/98585"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9183"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/psilan.cgi?action=save\u0026ethipaddress=192.168.1.1\u0026ethsubnetmask=255.255.255.0\u0026hostname=zxdsl83c1ii\u0026domainname=home%27;alert%280%29;//\u0026enblupnp=1\u0026enbllan2=0"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/adminpasswd.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9019"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9020"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/main.html"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/adminpasswd.cgi?action=save\u0026sysusername=%27;alert%280%29;//\u0026syspassword=37f6e6f627b6"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/adminpasswd.cgi?action=save\u0026sysusername=admin\u0026syspassword=f6c656269697"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-08309"
},
{
"db": "VULHUB",
"id": "VHN-76964"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005570"
},
{
"db": "PACKETSTORM",
"id": "129016"
},
{
"db": "CNNVD",
"id": "CNNVD-201411-230"
},
{
"db": "NVD",
"id": "CVE-2014-9019"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2014-08309"
},
{
"db": "VULHUB",
"id": "VHN-76964"
},
{
"db": "BID",
"id": "70984"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-005570"
},
{
"db": "PACKETSTORM",
"id": "129016"
},
{
"db": "CNNVD",
"id": "CNNVD-201411-230"
},
{
"db": "NVD",
"id": "CVE-2014-9019"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-11-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-08309"
},
{
"date": "2014-11-20T00:00:00",
"db": "VULHUB",
"id": "VHN-76964"
},
{
"date": "2014-11-06T00:00:00",
"db": "BID",
"id": "70984"
},
{
"date": "2014-11-21T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-005570"
},
{
"date": "2014-11-07T16:52:33",
"db": "PACKETSTORM",
"id": "129016"
},
{
"date": "2014-11-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201411-230"
},
{
"date": "2014-11-20T17:50:07.847000",
"db": "NVD",
"id": "CVE-2014-9019"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-11-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-08309"
},
{
"date": "2018-10-09T00:00:00",
"db": "VULHUB",
"id": "VHN-76964"
},
{
"date": "2014-12-09T00:55:00",
"db": "BID",
"id": "70984"
},
{
"date": "2014-11-21T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-005570"
},
{
"date": "2014-11-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201411-230"
},
{
"date": "2025-04-12T10:46:40.837000",
"db": "NVD",
"id": "CVE-2014-9019"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201411-230"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ZTE ZXDSL 831CII Vulnerable to cross-site request forgery",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-005570"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "cross-site request forgery",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201411-230"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…