Details of VAR-201411-0417

ID

VAR-201411-0417

CVE

CVE-2014-5395

TITLE

plural Huawei Product cross-site request forgery vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-005595

DESCRIPTION

Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users for requests that (1) modify configurations, (2) send SMS messages, or have other unspecified impact via unknown vectors. Huawei HiLink is a new and simpler network card that Huawei has introduced. Huawei HiLink E3236 and E3276 are prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. Both Huawei HiLink E3276 and E3236 are USB modem products of the Chinese Huawei (Huawei). Cross-site request forgery vulnerabilities exist in several Huawei HiLink products. The following products and versions are affected: Huawei HiLink E3276 and E3236 TCPPU versions prior to V200R002B470D13SP00C00, WebUI versions prior to V100R007B100D03SP01C03, versions prior to E5180s-22 21.270.21.00.00, and versions prior to E586Bs-2 21.322.1089.00.8

Trust: 2.52

sources: NVD: CVE-2014-5395 // JVNDB: JVNDB-2014-005595 // CNVD: CNVD-2014-08586 // BID: 69162 // VULHUB: VHN-73336

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-08586

AFFECTED PRODUCTS

vendor:	huawei	model:	e3236	scope:	lte	version:	webui-13.100.10.00.03	Trust: 1.0
vendor:	huawei	model:	e3276	scope:	lte	version:	webui-13.100.09.00.03	Trust: 1.0
vendor:	huawei	model:	e3276	scope:	lte	version:	e3276s-150tcpu-22.265.03.00.00	Trust: 1.0
vendor:	huawei	model:	e3236	scope:	lte	version:	e3236s-2tcpu-22.146.29.00.00	Trust: 1.0
vendor:	huawei	model:	e5180s-22	scope:	lte	version:	e5180s-22tcpu-21.270.05.01.00	Trust: 1.0
vendor:	huawei	model:	e586bs-2	scope:	lte	version:	e586bs-2tcpu-21.322.08.00.889	Trust: 1.0
vendor:	huawei	model:	e3236	scope:	lt	version:	e3236stcpu-v200r002b146d41sp00c00	Trust: 0.8
vendor:	huawei	model:	e3236	scope:	lt	version:	e3236swebui-v100r007b100d03sp01c03	Trust: 0.8
vendor:	huawei	model:	e3276	scope:	lt	version:	e3276stcpu-v200r002b470d13sp00c00	Trust: 0.8
vendor:	huawei	model:	e3276	scope:	lt	version:	e3276swebui-v100r007b100d03sp01c03	Trust: 0.8
vendor:	huawei	model:	e5180s-22	scope:	lt	version:	e5180s-22b710c0update_21.270.21.00.00.gz	Trust: 0.8
vendor:	huawei	model:	e586bs-2	scope:	lt	version:	21.322.10.00.889	Trust: 0.8
vendor:	huawei	model:	e3236	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	e3276	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	e3236	scope:	eq	version:	webui-13.100.10.00.03	Trust: 0.6
vendor:	huawei	model:	e3276	scope:	eq	version:	e3276s-150tcpu-22.265.03.00.00	Trust: 0.6
vendor:	huawei	model:	e586bs-2	scope:	eq	version:	e586bs-2tcpu-21.322.08.00.889	Trust: 0.6
vendor:	huawei	model:	e5180s-22	scope:	eq	version:	e5180s-22tcpu-21.270.05.01.00	Trust: 0.6
vendor:	huawei	model:	e3236	scope:	eq	version:	e3236s-2tcpu-22.146.29.00.00	Trust: 0.6
vendor:	huawei	model:	e3276	scope:	eq	version:	webui-13.100.09.00.03	Trust: 0.6

sources: CNVD: CNVD-2014-08586 // JVNDB: JVNDB-2014-005595 // CNNVD: CNNVD-201408-133 // NVD: CVE-2014-5395

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-5395
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-5395
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2014-08586
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201408-133
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-73336
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-5395
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-08586
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-73336
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2014-08586 // VULHUB: VHN-73336 // JVNDB: JVNDB-2014-005595 // CNNVD: CNNVD-201408-133 // NVD: CVE-2014-5395

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-73336 // JVNDB: JVNDB-2014-005595 // NVD: CVE-2014-5395

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201408-133

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201408-133

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-005595

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-73336

PATCH

title:	Huawei-SA-20140806-01-HiLink	url:	http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-360246.htm	Trust: 0.8
title:	Huawei HiLink E3236/E3276 Patch for Cross-Site Request Forgery Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/52328	Trust: 0.6

sources: CNVD: CNVD-2014-08586 // JVNDB: JVNDB-2014-005595

EXTERNAL IDS

db:	NVD	id:	CVE-2014-5395	Trust: 3.4
db:	BID	id:	69162	Trust: 2.6
db:	EXPLOIT-DB	id:	46092	Trust: 1.1
db:	JVNDB	id:	JVNDB-2014-005595	Trust: 0.8
db:	CNNVD	id:	CNNVD-201408-133	Trust: 0.7
db:	CNVD	id:	CNVD-2014-08586	Trust: 0.6
db:	PACKETSTORM	id:	151030	Trust: 0.1
db:	VULHUB	id:	VHN-73336	Trust: 0.1

sources: CNVD: CNVD-2014-08586 // VULHUB: VHN-73336 // BID: 69162 // JVNDB: JVNDB-2014-005595 // CNNVD: CNNVD-201408-133 // NVD: CVE-2014-5395

REFERENCES

url:	http://www.securityfocus.com/bid/69162	Trust: 2.3
url:	http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-360246.htm	Trust: 1.7
url:	https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-5395	Trust: 1.4
url:	https://www.exploit-db.com/exploits/46092/	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-5395	Trust: 0.8

sources: CNVD: CNVD-2014-08586 // VULHUB: VHN-73336 // JVNDB: JVNDB-2014-005595 // CNNVD: CNNVD-201408-133 // NVD: CVE-2014-5395

CREDITS

Andreas Lindh

Trust: 0.9

sources: BID: 69162 // CNNVD: CNNVD-201408-133

SOURCES

db:	CNVD	id:	CNVD-2014-08586
db:	VULHUB	id:	VHN-73336
db:	BID	id:	69162
db:	JVNDB	id:	JVNDB-2014-005595
db:	CNNVD	id:	CNNVD-201408-133
db:	NVD	id:	CVE-2014-5395

LAST UPDATE DATE

2025-04-13T23:31:36.785000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-08586	date:	2014-12-01T00:00:00
db:	VULHUB	id:	VHN-73336	date:	2019-01-08T00:00:00
db:	BID	id:	69162	date:	2014-11-24T00:57:00
db:	JVNDB	id:	JVNDB-2014-005595	date:	2014-11-25T00:00:00
db:	CNNVD	id:	CNNVD-201408-133	date:	2014-11-24T00:00:00
db:	NVD	id:	CVE-2014-5395	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-08586	date:	2014-12-01T00:00:00
db:	VULHUB	id:	VHN-73336	date:	2014-11-21T00:00:00
db:	BID	id:	69162	date:	2014-08-08T00:00:00
db:	JVNDB	id:	JVNDB-2014-005595	date:	2014-11-25T00:00:00
db:	CNNVD	id:	CNNVD-201408-133	date:	2014-08-12T00:00:00
db:	NVD	id:	CVE-2014-5395	date:	2014-11-21T15:59:00.087