Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huaweiHuawei TechnologiesHUAWEI-SA-20171120-01-HWREADER
HistoryNov 20, 2017 - 12:00 a.m.

Security Advisory - Multiple Security Vulnerabilities in Huawei iReader

2017-11-2000:00:00
Huawei Technologies
www.huawei.com
16

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

70.0%

JSON

Huawei iReader app has three security vulnerabilities.

The app has an input validation vulnerability due to insufficient validation on the URL used for loading network data. An attacker can control app access and load malicious websites created by the attacker, and the code in webpages would be loaded and run. (Vulnerability ID: HWPSIRT-2017-11023)

This vulnerability has been assigned a CVE ID: CVE-2017-15308.

The app has a path traversal vulnerability due to insufficient validation on file storage paths. An attacker can exploit this vulnerability to store downloaded malicious files in an arbitrary directory, affecting the availability of system data. (Vulnerability ID: HWPSIRT-2017-11073)
This vulnerability has been assigned a CVE ID: CVE-2017-15309.

The app has an arbitrary file deletion vulnerability due to the lack of input validation. An attacker can exploit this vulnerability to delete specific files from the SD card, affecting the availability of system data. (Vulnerability ID: HWPSIRT-2017-11074)
This vulnerability has been assigned a CVE ID: CVE-2017-15310.

Huawei has released software updates to fix these vulnerabilities. This advisory is available at the following link:
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171120-01-hwreader-en

Affected configurations

Vulners
Node
huaweiireaderMatch8.0.2.301
CPENameOperatorVersion
ireadereq8.0.2.301

Related

zdi 3
cvelist 3
cve 3
prion 3
nvd 3
zdi
zdi
(Pwn2Own) Huawei Reader Insecure Plugin Loading Privilege Escalation Vulnerability
2018-08-02 00:00:00
(Pwn2Own) Huawei Reader FileName Directory Traversal Privilege Escalation Vulnerability
2018-08-02 00:00:00
(Pwn2Own) Huawei Reader onChapPack Directory Traversal File Deletion Vulnerability
2018-08-02 00:00:00
cvelist
cvelist
CVE-2017-15309
2017-11-20 00:00:00
CVE-2017-15308
2017-11-20 00:00:00
CVE-2017-15310
2017-11-20 00:00:00
cve
cve
CVE-2017-15309
2017-12-22 17:29:12
CVE-2017-15308
2017-12-22 17:29:12
CVE-2017-15310
2017-12-22 17:29:13
prion
prion
Path traversal
2017-12-22 17:29:00
Input validation
2017-12-22 17:29:00
Arbitrary file deletion
2017-12-22 17:29:00
nvd
nvd
CVE-2017-15309
2017-12-22 17:29:12
CVE-2017-15308
2017-12-22 17:29:12
CVE-2017-15310
2017-12-22 17:29:13

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

70.0%

JSON
Related for HUAWEI-SA-20171120-01-HWREADER
zdi3cvelist3cve3prion3nvd3