Details of VAR-201404-0461

ID

VAR-201404-0461

CVE

CVE-2014-0337

TITLE

Huawei Echo Life HG8247 optical router XSS vulnerability

Trust: 0.8

sources: CERT/CC: VU#917700

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the web interface on Huawei Echo Life HG8247 routers with software before V100R006C00SPC127 allows remote attackers to inject arbitrary web script or HTML via an invalid TELNET connection attempt with a crafted username that is not properly handled during construction of the "failed log-in attempts over telnet" log view. CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') http://cwe.mitre.org/data/definitions/79.htmlAn arbitrary script may be executed on the user's web browser. Or hijack a user session. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. Echo Life HG8247 running firmware versions V1R006C00S120 and prior are vulnerable

Trust: 3.24

sources: NVD: CVE-2014-0337 // CERT/CC: VU#917700 // JVNDB: JVNDB-2014-001891 // CNVD: CNVD-2014-02128 // BID: 66594 // VULHUB: VHN-67830

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-02128

AFFECTED PRODUCTS

vendor:	huawei	model:	echo life	scope:	eq	version:	hg8247	Trust: 1.8
vendor:	huawei	model:	echo life hg8247	scope:	eq	version:	v1r006c00s120	Trust: 1.6
vendor:	huawei	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	huawei	model:	echo life hg8247	scope:	lte	version:	version v1r006c00s120	Trust: 0.8
vendor:	huawei	model:	echo life hg8247 v1r006c00s120	scope:	-	version:	-	Trust: 0.6

sources: CERT/CC: VU#917700 // CNVD: CNVD-2014-02128 // JVNDB: JVNDB-2014-001891 // CNNVD: CNNVD-201404-065 // NVD: CVE-2014-0337

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-0337
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-0337
value:	MEDIUM
Trust: 0.8
IPA:	JVNDB-2014-001891
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2014-02128
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201404-065
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-67830
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-0337
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	CVE-2014-0337
severity:	MEDIUM
baseScore:	4.3
vectorString:	NONE
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
IPA:	JVNDB-2014-001891
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2014-02128
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-67830
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#917700 // CNVD: CNVD-2014-02128 // VULHUB: VHN-67830 // JVNDB: JVNDB-2014-001891 // CNNVD: CNNVD-201404-065 // NVD: CVE-2014-0337

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-67830 // JVNDB: JVNDB-2014-001891 // NVD: CVE-2014-0337

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201404-065

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201404-065

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001891

EXPLOIT AVAILABILITY

sources: CERT/CC: VU#917700

PATCH

title:	HG8247	url:	http://www.huawei.com/en/products/fixed-access/fttx/ont/hg8247/index.htm	Trust: 0.8
title:	サポートサイト（要ログイン）	url:	http://support.huawei.com/support/pages/editionctrl/catalog/ShowVersionDetail.do?actionFlag=getSoftwareDetail&node_id=000001619370&doc_type=VER_SOFT&doc_type=VER_SOFT	Trust: 0.8
title:	Huawei Echo Life HG8247 HTML Injection Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/44649	Trust: 0.6

sources: CNVD: CNVD-2014-02128 // JVNDB: JVNDB-2014-001891

EXTERNAL IDS

db:	CERT/CC	id:	VU#917700	Trust: 3.9
db:	NVD	id:	CVE-2014-0337	Trust: 3.4
db:	BID	id:	66594	Trust: 1.0
db:	JVN	id:	JVNVU94248733	Trust: 0.8
db:	JVNDB	id:	JVNDB-2014-001891	Trust: 0.8
db:	CNNVD	id:	CNNVD-201404-065	Trust: 0.7
db:	OSVDB	id:	105303	Trust: 0.6
db:	CNVD	id:	CNVD-2014-02128	Trust: 0.6
db:	SECUNIA	id:	57634	Trust: 0.6
db:	SEEBUG	id:	SSVID-62077	Trust: 0.1
db:	VULHUB	id:	VHN-67830	Trust: 0.1

sources: CERT/CC: VU#917700 // CNVD: CNVD-2014-02128 // VULHUB: VHN-67830 // BID: 66594 // JVNDB: JVNDB-2014-001891 // CNNVD: CNNVD-201404-065 // NVD: CVE-2014-0337

REFERENCES

url:	http://www.kb.cert.org/vuls/id/917700	Trust: 3.1
url:	http://support.huawei.com/support/pages/editionctrl/catalog/showversiondetail.do?actionflag=getsoftwaredetail&node_id=000001619370&doc_type=ver_soft&doc_type=ver_soft	Trust: 1.6
url:	http://www.huawei.com/en/products/fixed-access/fttx/ont/hg8247/index.htm	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0337	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu94248733/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0337	Trust: 0.8
url:	http://osvdb.com/show/osvdb/105303	Trust: 0.6
url:	http://secunia.com/advisories/57634	Trust: 0.6

sources: CERT/CC: VU#917700 // CNVD: CNVD-2014-02128 // VULHUB: VHN-67830 // JVNDB: JVNDB-2014-001891 // CNNVD: CNNVD-201404-065 // NVD: CVE-2014-0337

CREDITS

Rijnard van Tonder

Trust: 0.3

sources: BID: 66594

SOURCES

db:	CERT/CC	id:	VU#917700
db:	CNVD	id:	CNVD-2014-02128
db:	VULHUB	id:	VHN-67830
db:	BID	id:	66594
db:	JVNDB	id:	JVNDB-2014-001891
db:	CNNVD	id:	CNNVD-201404-065
db:	NVD	id:	CVE-2014-0337

LAST UPDATE DATE

2025-04-13T23:21:27.840000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#917700	date:	2014-04-02T00:00:00
db:	CNVD	id:	CNVD-2014-02128	date:	2014-04-04T00:00:00
db:	VULHUB	id:	VHN-67830	date:	2014-04-07T00:00:00
db:	BID	id:	66594	date:	2014-04-02T00:00:00
db:	JVNDB	id:	JVNDB-2014-001891	date:	2014-04-08T00:00:00
db:	CNNVD	id:	CNNVD-201404-065	date:	2014-04-09T00:00:00
db:	NVD	id:	CVE-2014-0337	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#917700	date:	2014-04-02T00:00:00
db:	CNVD	id:	CNVD-2014-02128	date:	2014-04-04T00:00:00
db:	VULHUB	id:	VHN-67830	date:	2014-04-05T00:00:00
db:	BID	id:	66594	date:	2014-04-02T00:00:00
db:	JVNDB	id:	JVNDB-2014-001891	date:	2014-04-03T00:00:00
db:	CNNVD	id:	CNNVD-201404-065	date:	2014-04-09T00:00:00
db:	NVD	id:	CVE-2014-0337	date:	2014-04-05T04:01:37.547