Vulnerabilities > CVE-2014-8357 - Credentials Management vulnerability in Dasanzhone Znid 2426A Firmware

CVSS 4.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

dasanzhone

CWE-255

exploit available

NVD

Published: 2017-10-17

Updated: 2018-10-09

Summary

backupsettings.html in the web administrative portal in Zhone zNID GPON 2426A before S3.0.501 places a session key in a URL, which allows remote attackers to obtain arbitrary user passwords via the sessionKey parameter in a getConfig action to backupsettings.conf.

Vulnerable Configurations

Part	Description	Count
OS	Dasanzhone Dasanzhone Znid 2426A Firmware *	1
Hardware	Dasanzhone Dasanzhone Znid 2426A -	1

Common Weakness Enumeration (CWE)

CWE-255 - Credentials Management

Exploit-Db

description	ZHONE < S3.0.501 - Multiple Vulnerabilities. CVE-2014-8356,CVE-2014-8357,CVE-2014-9118. Remote exploit for hardware platform
file	exploits/hardware/remote/38453.txt
id	EDB-ID:38453
last seen	2016-02-04
modified	2015-10-13
platform	hardware
port
published	2015-10-13
reporter	Lyon Yang
source	https://www.exploit-db.com/download/38453/
title	ZHONE < S3.0.501 - Multiple Vulnerabilities
type	remote

Packetstorm

data source	https://packetstormsecurity.com/files/download/133921/VP-2015-002.txt
id	PACKETSTORM:133921
last seen	2016-12-05
published	2015-10-12
reporter	Lyon Yang
source	https://packetstormsecurity.com/files/133921/Zhone-Insecure-Reference-Password-Disclosure-Command-Injection.html
title	Zhone Insecure Reference / Password Disclosure / Command Injection

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Packetstorm

References