Multiple information exposure vulnerabilities enable an attacker to obtain credentials and other sensitive details about the ZXHN H108N R1A. User names and password hashes can be viewed in the page source of http://<IP>/cgi-bin/webproc. The configuration file of the device contains usernames, passwords, keys, and other values in plain text, which can be used by a user with lower privileges to gain admin account access. The ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, does not properly restrict access to the web interface. An attacker can bypass authentication and gain access to the web interface without valid credentials. The ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, is vulnerable to CSRF attacks. An attacker can send a malicious request to the router and perform actions with the privileges of the currently logged-in user. The ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, is vulnerable to OS command injection. An attacker can inject arbitrary commands into the router and execute them with root privileges. The ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, is vulnerable to XSS attacks. An attacker can inject malicious JavaScript into the router and execute it with the privileges of the currently logged-in user.