Details of VAR-201407-0438

ID

VAR-201407-0438

CVE

CVE-2014-2968

TITLE

Huawei E355 contains a stored cross-site scripting vulnerability

Trust: 0.8

sources: CERT/CC: VU#688812

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the web interface on the Huawei E355 CH1E355SM modem with software 21.157.37.01.910 and Web UI 11.001.08.00.03 allows remote attackers to inject arbitrary web script or HTML via an SMS message. Huawei Provided by E355 Contains a cross-site scripting vulnerability. Huawei Provided by E355 Is a wireless router with a web interface for management and other services. Huawei E355 is a wireless network card product. Huawei E355 is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. E355 running firmware versions CH1E355SM is vulnerable; other versions may also be affected. Huawei E355 CH1E355SM modem and Web UI are both products of China Huawei (Huawei)

Trust: 3.24

sources: NVD: CVE-2014-2968 // CERT/CC: VU#688812 // JVNDB: JVNDB-2014-003503 // CNVD: CNVD-2014-04493 // BID: 68769 // VULHUB: VHN-70907

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-04493

AFFECTED PRODUCTS

vendor:	huawei	model:	e355 web ui	scope:	eq	version:	11.001.08.00.03	Trust: 1.6
vendor:	huawei	model:	e355	scope:	eq	version:	21.157.37.01.910	Trust: 1.6
vendor:	huawei	model:	e355	scope:	eq	version:	ch1e355sm	Trust: 1.0
vendor:	huawei	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	huawei	model:	e355	scope:	eq	version:	hardware version ch1e355sm	Trust: 0.8
vendor:	huawei	model:	e355 web ui	scope:	eq	version:	version 11.001.08.00.03	Trust: 0.8
vendor:	huawei	model:	e355	scope:	eq	version:	version 21.157.37.01.910	Trust: 0.8
vendor:	huawei	model:	e355 ch1e355sm	scope:	-	version:	-	Trust: 0.6

sources: CERT/CC: VU#688812 // CNVD: CNVD-2014-04493 // JVNDB: JVNDB-2014-003503 // CNNVD: CNNVD-201407-598 // NVD: CVE-2014-2968

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-2968
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-2968
value:	MEDIUM
Trust: 0.8
IPA:	JVNDB-2014-003503
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2014-04493
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201407-598
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-70907
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-2968
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	CVE-2014-2968
severity:	MEDIUM
baseScore:	6.4
vectorString:	NONE
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
IPA:	JVNDB-2014-003503
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2014-04493
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-70907
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#688812 // CNVD: CNVD-2014-04493 // VULHUB: VHN-70907 // JVNDB: JVNDB-2014-003503 // CNNVD: CNNVD-201407-598 // NVD: CVE-2014-2968

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-70907 // JVNDB: JVNDB-2014-003503 // NVD: CVE-2014-2968

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201407-598

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201407-598

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-003503

EXPLOIT AVAILABILITY

sources: CERT/CC: VU#688812 // VULHUB: VHN-70907

PATCH

title:

E355 - Features

url:

http://consumer.huawei.com/en/mobile-broadband/wingle/features/e355-en.htm

Trust: 0.8

sources: JVNDB: JVNDB-2014-003503

EXTERNAL IDS

db:	CERT/CC	id:	VU#688812	Trust: 3.9
db:	NVD	id:	CVE-2014-2968	Trust: 3.4
db:	BID	id:	68769	Trust: 1.0
db:	JVN	id:	JVNVU93289423	Trust: 0.8
db:	JVNDB	id:	JVNDB-2014-003503	Trust: 0.8
db:	CNNVD	id:	CNNVD-201407-598	Trust: 0.7
db:	CNVD	id:	CNVD-2014-04493	Trust: 0.6
db:	SEEBUG	id:	SSVID-61728	Trust: 0.1
db:	VULHUB	id:	VHN-70907	Trust: 0.1

sources: CERT/CC: VU#688812 // CNVD: CNVD-2014-04493 // VULHUB: VHN-70907 // BID: 68769 // JVNDB: JVNDB-2014-003503 // CNNVD: CNNVD-201407-598 // NVD: CVE-2014-2968

REFERENCES

url:	http://www.kb.cert.org/vuls/id/688812	Trust: 3.1
url:	http://www.huawei.com	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/79.html	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2968	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu93289423/	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2968	Trust: 0.8

sources: CERT/CC: VU#688812 // CNVD: CNVD-2014-04493 // VULHUB: VHN-70907 // JVNDB: JVNDB-2014-003503 // CNNVD: CNNVD-201407-598 // NVD: CVE-2014-2968

CREDITS

Jimson James

Trust: 0.3

sources: BID: 68769

SOURCES

db:	CERT/CC	id:	VU#688812
db:	CNVD	id:	CNVD-2014-04493
db:	VULHUB	id:	VHN-70907
db:	BID	id:	68769
db:	JVNDB	id:	JVNDB-2014-003503
db:	CNNVD	id:	CNNVD-201407-598
db:	NVD	id:	CVE-2014-2968

LAST UPDATE DATE

2025-04-13T23:25:23.560000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#688812	date:	2014-07-21T00:00:00
db:	CNVD	id:	CNVD-2014-04493	date:	2014-07-23T00:00:00
db:	VULHUB	id:	VHN-70907	date:	2014-07-24T00:00:00
db:	BID	id:	68769	date:	2014-07-24T11:41:00
db:	JVNDB	id:	JVNDB-2014-003503	date:	2014-07-25T00:00:00
db:	CNNVD	id:	CNNVD-201407-598	date:	2014-07-30T00:00:00
db:	NVD	id:	CVE-2014-2968	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#688812	date:	2014-07-21T00:00:00
db:	CNVD	id:	CNVD-2014-04493	date:	2014-07-23T00:00:00
db:	VULHUB	id:	VHN-70907	date:	2014-07-24T00:00:00
db:	BID	id:	68769	date:	2014-07-21T00:00:00
db:	JVNDB	id:	JVNDB-2014-003503	date:	2014-07-23T00:00:00
db:	CNNVD	id:	CNNVD-201407-598	date:	2014-07-25T00:00:00
db:	NVD	id:	CVE-2014-2968	date:	2014-07-24T14:55:07.410