fkie_cve-2021-21745
Vulnerability from fkie_nvd
Published
2021-10-20 16:15
Modified
2024-11-21 05:48
Severity ?
Summary
ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to click.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| zte | mf971r_firmware | v1.0.0b05 | |
| zte | mf971r | * | |
| zte | mf971r_firmware | 1v1.0.0b06 | |
| zte | mf971r | * | |
| zte | mf971r_firmware | 2v1.0.0b03 | |
| zte | mf971r | * | |
| zte | mf971r_firmware | s2v1.0.0b03 | |
| zte | mf971r | * | |
| zte | mf971r_firmware | sv1.0.0b05 | |
| zte | mf971r | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:zte:mf971r_firmware:v1.0.0b05:*:*:*:*:*:*:*", matchCriteriaId: "72A4F659-C656-47D6-B38E-5BA8E73DCD30", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*", matchCriteriaId: "9A7F54F4-E324-4D1E-839E-677396BAFE49", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:zte:mf971r_firmware:1v1.0.0b06:*:*:*:*:*:*:*", matchCriteriaId: "35FA4400-636F-48E7-AF1E-9416D9E9386F", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*", matchCriteriaId: "9A7F54F4-E324-4D1E-839E-677396BAFE49", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:zte:mf971r_firmware:2v1.0.0b03:*:*:*:*:*:*:*", matchCriteriaId: "252BBFAA-0053-441A-8F20-A737EF573355", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*", matchCriteriaId: "9A7F54F4-E324-4D1E-839E-677396BAFE49", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:zte:mf971r_firmware:s2v1.0.0b03:*:*:*:*:*:*:*", matchCriteriaId: "7B066F08-DDC4-4868-8FD2-620E46660B64", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*", matchCriteriaId: "9A7F54F4-E324-4D1E-839E-677396BAFE49", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:zte:mf971r_firmware:sv1.0.0b05:*:*:*:*:*:*:*", matchCriteriaId: "AAA1BD70-DC47-4B81-A906-3FD76E593F75", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:zte:mf971r:*:*:*:*:*:*:*:*", matchCriteriaId: "9A7F54F4-E324-4D1E-839E-677396BAFE49", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to click.", }, { lang: "es", value: "El producto ZTE MF971R presenta una vulnerabilidad de omisión de autenticación Referer. Sin la verificación de tipo CSRF, un atacante podría usar esta vulnerabilidad para llevar a cabo operaciones de autorización ilegales mediante el envío de una petición al usuario para que haga clic", }, ], id: "CVE-2021-21745", lastModified: "2024-11-21T05:48:55.583", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-10-20T16:15:08.203", references: [ { source: "psirt@zte.com.cn", tags: [ "Vendor Advisory", ], url: "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1019764", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1019764", }, ], sourceIdentifier: "psirt@zte.com.cn", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-352", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.