Vulnerabilities > CVE-2014-8356 - Authorization Bypass Through User-Controlled Key vulnerability in Dasanzhone Znid 2426A Firmware

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

dasanzhone

CWE-639

exploit available

NVD

Published: 2019-11-21

Updated: 2019-12-04

Summary

The web administrative portal in Zhone zNID 2426A before S3.0.501 allows remote authenticated users to bypass intended access restrictions via a modified server response, related to an insecure direct object reference.

Vulnerable Configurations

Part	Description	Count
OS	Dasanzhone Dasanzhone Znid 2426A Firmware -	1
Hardware	Dasanzhone Dasanzhone Znid 2426A -	1

Common Weakness Enumeration (CWE)

CWE-639 - Authorization Bypass Through User-Controlled Key

Exploit-Db

description	ZHONE < S3.0.501 - Multiple Vulnerabilities. CVE-2014-8356,CVE-2014-8357,CVE-2014-9118. Remote exploit for hardware platform
file	exploits/hardware/remote/38453.txt
id	EDB-ID:38453
last seen	2016-02-04
modified	2015-10-13
platform	hardware
port
published	2015-10-13
reporter	Lyon Yang
source	https://www.exploit-db.com/download/38453/
title	ZHONE < S3.0.501 - Multiple Vulnerabilities
type	remote

Packetstorm

data source	https://packetstormsecurity.com/files/download/133921/VP-2015-002.txt
id	PACKETSTORM:133921
last seen	2016-12-05
published	2015-10-12
reporter	Lyon Yang
source	https://packetstormsecurity.com/files/133921/Zhone-Insecure-Reference-Password-Disclosure-Command-Injection.html
title	Zhone Insecure Reference / Password Disclosure / Command Injection

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Packetstorm

References