CVE-2021-21738

Vulnerability

ZTE's big video business platform, specifically the ZXIPTV-EAS_PV5.06.04.09 version, contains two reflective cross-site scripting (XSS) vulnerabilities [1]. The flaws arise from insufficient input verification, enabling an attacker to inject malicious scripts by tampering with parameters in HTTP requests [1].

Exploitation

An attacker can craft a malicious URL with tampered parameters and trick a valid user into clicking it, leading to script execution in the user's browser [1]. The attack requires no special privileges and does not require user interaction beyond the initial click, as per the CVSS vector (AV:L/AC:H/PR:N/UI:N) [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session, potentially affecting the operations of valid users [1]. The CVSS score indicates a low availability impact, with no direct confidentiality or integrity compromise [1].

Mitigation

ZTE has released a fixed version: ZXIPTV-EAS-PV7.01.05.01 [1]. Users should upgrade to this version to remediate the vulnerabilities. No workarounds are documented in the available reference [1].