CVE-2017-10937

Vulnerability

A SQL injection vulnerability exists in all versions prior to V2.01.05.09 of the ZTE ZXIPTV-UCM product. The flaw resides in the handling of the opertype parameter, which is not properly sanitized before being used in SQL queries. This allows an attacker to inject arbitrary SQL commands. The affected versions include all releases before V2.01.05.09 [1].

Exploitation

An attacker can exploit this vulnerability remotely without requiring authentication. By sending a crafted HTTP request containing malicious SQL code in the opertype parameter, the attacker can execute arbitrary SQL statements against the underlying database. No special privileges or user interaction are needed [1].

Impact

Successful exploitation results in the disclosure of database information. The attacker can read sensitive data stored in the database, potentially including user credentials, configuration details, or other confidential information. The impact is limited to information disclosure; the vulnerability does not directly allow modification or deletion of data [1].

Mitigation

ZTE has addressed this vulnerability in version V2.01.05.09 and later. Users should upgrade to this version or any subsequent release. As a workaround, ZTE recommends pre-compiling SQL statements to prevent injection. The security bulletin was published on 8 December 2017 [1].