CVE-2017-10937

HIGH

ZTE ZXIPTV-UCM Firmware < 2.01.05.09 - SQL Injection via opertype Parameter

Title source: llm

Description

SQL injection vulnerability in all versions prior to V2.01.05.09 of the ZTE ZXIPTV-UCM product allows remote attackers to execute arbitrary SQL commands via the opertype parameter, resulting in the disclosure of database information.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1008782

Scores

CVSS v3 7.5

EPSS 0.0029

EPSS Percentile 52.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-89

Status published

Products (1)

zte/zxiptv-ucm_firmware < 2.01.05.09

Published Jul 25, 2018

Tracked Since Feb 18, 2026