Details of VAR-201409-1256

ID

VAR-201409-1256

TITLE

Cross-site request forgery vulnerability for multiple Huawei products

Trust: 0.6

sources: CNVD: CNVD-2014-06454

DESCRIPTION

FusionManager is a management software for hardware devices, virtualization resources, and applications provided by Huawei. Huawei USG is a firewall series device. A cross-site request forgery vulnerability exists in the FusionManager and the Huawei USG series. This allows remote attackers to construct malicious URIs, entice users to resolve, and perform malicious operations in the target user context. Multiple Huawei products are prone to multiple cross-site request-forgery vulnerabilities. Exploiting these issues may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks

Trust: 0.81

sources: CNVD: CNVD-2014-06454 // BID: 70114

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-06454

AFFECTED PRODUCTS

vendor:	huawei	model:	fusionmanager v100r002c03	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	fusionmanager v100r003c00	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	usg9500 v200r001c01spc800	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	usg2100 v300r001c00spc900	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	usg2200 v300r001c00spc900	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	usg5100 v300r001c00spc900	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	usg5500 v300r001c00spc900	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2014-06454

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD:	CNVD-2014-06454
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2014-06454
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2014-06454

THREAT TYPE

network

Trust: 0.3

sources: BID: 70114

TYPE

Input Validation Error

Trust: 0.3

sources: BID: 70114

PATCH

title:

Patch for multiple Huawei products cross-site request forgery vulnerability

url:

https://www.cnvd.org.cn/patchinfo/show/50464

Trust: 0.6

sources: CNVD: CNVD-2014-06454

EXTERNAL IDS

db:	BID	id:	70114	Trust: 0.9
db:	OSVDB	id:	111994	Trust: 0.6
db:	OSVDB	id:	111993	Trust: 0.6
db:	CNVD	id:	CNVD-2014-06454	Trust: 0.6

sources: CNVD: CNVD-2014-06454 // BID: 70114

REFERENCES

url:	http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/archive/hw-372186.htm	Trust: 0.6
url:	http://osvdb.com/show/osvdb/111993	Trust: 0.6
url:	http://osvdb.com/show/osvdb/111994	Trust: 0.6

sources: CNVD: CNVD-2014-06454

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 70114

SOURCES

db:	CNVD	id:	CNVD-2014-06454
db:	BID	id:	70114

LAST UPDATE DATE

2022-05-17T02:08:07.799000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-06454	date:	2014-09-28T00:00:00
db:	BID	id:	70114	date:	2014-09-24T00:00:00

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-06454	date:	2014-09-28T00:00:00
db:	BID	id:	70114	date:	2014-09-24T00:00:00