CVE-2014-8357

Name of the Vulnerable Software and Affected Versions Zhone zNID GPON 2426A versions prior to S3.0.501

Description The issue allows remote attackers to obtain arbitrary user passwords. This is achieved by exploiting the sessionKey parameter in a getConfig action to backupsettings.conf via the backupsettings.html page in the web administrative portal. The vulnerability stems from the session key being placed in a URL.

Recommendations For versions prior to S3.0.501, update to version S3.0.501 or later to resolve the issue. As a temporary workaround, consider restricting access to the backupsettings.html page in the web administrative portal to minimize the risk of exploitation. Avoid using the sessionKey parameter in the getConfig action until the issue is resolved.