Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:688812
HistoryJul 21, 2014 - 12:00 a.m.

Huawei E355 contains a stored cross-site scripting vulnerability

2014-07-2100:00:00
www.kb.cert.org
14

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

68.2%

JSON

Overview

The Huawei E355 built-in web interface contains a stored cross-site scripting vulnerability.

Description

Huawei E355 wireless broadband modems include a web interface for administration and additional services. The web interface allows users to receive SMS messages using the connected cellular network.

CWE-79:** Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)**
The web interface is vulnerable to a stored cross-site scripting vulnerability. The vulnerability can be exploited if a victim views SMS messages that contain Javascript using the web interface.

The following device configuration was reported to be vulnerable. Other versions may be affected:
Hardware version: CH1E355SM
Software version: 21.157.37.01.910
Web UI version: 11.001.08.00.03

Impact

A malicious attacker may be able to execute arbitrary script in the context of the victim’s browser.

Solution

We are currently unaware of a practical solution to this problem. In the meantime, please consider the following workaround:

Disable scripting

Disable scripting in your web browser, as specified in the Securing Your Web Browser document.

Vendor Information

688812

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Huawei Technologies Affected

Notified: May 06, 2014 Updated: July 01, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N
Temporal 5.5 E:POC/RL:W/RC:C
Environmental 1.5 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Jimson James for reporting this vulnerability.

This document was written by Todd Lewellen.

Other Information

CVE IDs: CVE-2014-2968
Date Public: 2014-07-21 Date First Published:

Related

huawei 1
cvelist 1
cve 1
prion 1
nvd 1
huawei
huawei
Security Advisory-XSS Security Vulnerability on Huawei E355
2014-10-11 00:00:00
cvelist
cvelist
CVE-2014-2968
2014-07-24 14:00:00
cve
cve
CVE-2014-2968
2014-07-24 14:55:07
prion
prion
Cross site scripting
2014-07-24 14:55:00
nvd
nvd
CVE-2014-2968
2014-07-24 14:55:07

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

68.2%

JSON
Related for VU:688812
huawei1cvelist1cve1prion1nvd1