Lyon Yang

**Name of the Vulnerable Software and Affected Versions** Zhone zNID 2426A versions prior to S3.0.501 **Description** The issue concerns an insecure direct object reference in the web administrative portal, allowing remote authenticated users to bypass intended access restrictions via a modified server response. **Recommendations** For versions prior to S3.0.501, update to version S3.0.501 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Zhone zNID GPON 2426A versions prior to S3.0.501 **Description** The issue allows remote attackers to obtain arbitrary user passwords. This is achieved by exploiting the `sessionKey` parameter in a `getConfig` action to `backupsettings.conf` via the `backupsettings.html` page in the web administrative portal. The vulnerability stems from the session key being placed in a URL. **Recommendations** For versions prior to S3.0.501, update to version S3.0.501 or later to resolve the issue. As a temporary workaround, consider restricting access to the `backupsettings.html` page in the web administrative portal to minimize the risk of exploitation. Avoid using the `sessionKey` parameter in the `getConfig` action until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Zhone zNID GPON 2426A versions prior to S3.0.501 **Description** The issue concerns the web administrative portal, where remote attackers can execute arbitrary commands. This is achieved by using shell metacharacters in the `ipAddr` parameter to the "zhnping.cmd" endpoint. **Recommendations** For versions prior to S3.0.501, update to version S3.0.501 or later to resolve the issue. As a temporary workaround, consider restricting access to the "zhnping.cmd" endpoint to minimize the risk of exploitation. Avoid using the `ipAddr` parameter in the affected endpoint until the issue is resolved.