VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 15, 2019· Updated Aug 4, 2024

CVE-2019-3418

CVE-2019-3418

Description

Cross-site scripting (XSS) vulnerability in ZTE ZXHN F670 routers up to V1.1.10P3T18 allows an attacker to execute malicious scripts via incomplete input validation, requiring user interaction.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting (XSS) vulnerability in ZTE ZXHN F670 routers up to V1.1.10P3T18 allows an attacker to execute malicious scripts via incomplete input validation, requiring user interaction.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the web interface of ZTE ZXHN F670 routers. All versions up to V1.1.10P3T18 are affected due to incomplete input validation, allowing an attacker to inject and execute arbitrary JavaScript in the context of an authenticated user's session [1].

Exploitation

An attacker with network adjacency (AV:A) can exploit this vulnerability without prior authentication (PR:N) but must trick an authenticated user into interacting with a crafted link or page (UI:R). The attacker can then execute malicious scripts within the router's web interface [1].

Impact

Successful exploitation leads to disclosure of sensitive information (confidentiality high), such as session cookies or configuration data. Integrity and availability are not affected, and the scope remains unchanged (S:U) [1].

Mitigation

ZTE has released fixed version V1.1.10P3T22 to address this vulnerability. Users should upgrade to this version. No workarounds are documented in the available references [1].

References
  1. Security Bulletin Details

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Zte/ZXHN F670llm-fuzzy2 versions
    <=V1.1.10P3T18+ 1 more
    • (no CPE)range: <=V1.1.10P3T18
    • (no CPE)range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.