Vulnerabilities > CVE-2014-8356 - Authorization Bypass Through User-Controlled Key vulnerability in Dasanzhone Znid 2426A Firmware

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
dasanzhone
CWE-639
exploit available

Summary

The web administrative portal in Zhone zNID 2426A before S3.0.501 allows remote authenticated users to bypass intended access restrictions via a modified server response, related to an insecure direct object reference.

Vulnerable Configurations

Part Description Count
OS
Dasanzhone
1
Hardware
Dasanzhone
1

Exploit-Db

descriptionZHONE < S3.0.501 - Multiple Vulnerabilities. CVE-2014-8356,CVE-2014-8357,CVE-2014-9118. Remote exploit for hardware platform
fileexploits/hardware/remote/38453.txt
idEDB-ID:38453
last seen2016-02-04
modified2015-10-13
platformhardware
port
published2015-10-13
reporterLyon Yang
sourcehttps://www.exploit-db.com/download/38453/
titleZHONE < S3.0.501 - Multiple Vulnerabilities
typeremote

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/133921/VP-2015-002.txt
idPACKETSTORM:133921
last seen2016-12-05
published2015-10-12
reporterLyon Yang
sourcehttps://packetstormsecurity.com/files/133921/Zhone-Insecure-Reference-Password-Disclosure-Command-Injection.html
titleZhone Insecure Reference / Password Disclosure / Command Injection