CVE-2014-9021

Name of the Vulnerable Software and Affected Versions ZTE ZXDSL 831 (affected versions not specified)

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via specific parameters to various pages. The affected parameters include tr69cAcsURL, tr69cAcsUser, tr69cAcsPwd, tr69cConnReqPwd, and tr69cDebugEnable in the TR-069 client page, timezone in the Time and date page, and hostname in the Quick Stats page.

Recommendations As a temporary workaround, consider disabling the TR-069 client page until a patch is available. Restrict access to the Time and date page to minimize the risk of exploitation. Avoid using the hostname parameter in the Quick Stats page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.