Details of VAR-201505-0365

ID

VAR-201505-0365

CVE

CVE-2015-2347

TITLE

Huawei SEQ Analyst Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2015-002551

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Huawei SEQ Analyst before V200R002C03LG0001CP0022 allows remote attackers to inject arbitrary web script or HTML via the command XML element in the req parameter to flexdata.action in (1) common/, (2) monitor/, or (3) psnpm/ or the (4) module XML element in the req parameter to flexdata.action in monitor/. The platform provides functions such as service debugging, user complaint handling, troubleshooting, user experience management and deployment of value-added services. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML. #Document Title: ============ Huawei SEQ Analyst - Multiple Reflected Cross Site Scripting (XSS) #Release Date: =========== 15 Apr 2015 #CVE-ID: ======= CVE-2015-2347 #Product & Service Introduction: ======================= SEQ Analyst is a platform for business quality monitoring and management by individual user and multiple vendors in a quasi-realtime and retraceable manner More Details & Manual ; http://download.huawei.com/download/filedownload.do?modelID=bulletin&refID=IN0000056669,101 #Vulnerability Disclosure Timeline: ======================== 3 Mar 2015 Bug reported to the vendor. 6 Mar 2015 Vendor returned ; investigating 16 Mar 2015 Asked about the case. 16 Mar 2015 Vendor has validated the issue. 17 Mar 2015 There aren't any fix the issue. 18 Mar 2015 CVE number assigned 15 Apr 2015 Fixed #Affected Product(s): =============== Huawei Technologies Co. Ltd

Trust: 1.8

sources: NVD: CVE-2015-2347 // JVNDB: JVNDB-2015-002551 // VULHUB: VHN-80308 // PACKETSTORM: 131460

AFFECTED PRODUCTS

vendor:	huawei	model:	seq analyst	scope:	lte	version:	v200r002c03lg0001spc100	Trust: 1.0
vendor:	huawei	model:	seq analyst	scope:	lt	version:	v200r002c03lg0001cp0022	Trust: 0.8
vendor:	huawei	model:	seq analyst	scope:	eq	version:	v200r002c03lg0001spc100	Trust: 0.6

sources: JVNDB: JVNDB-2015-002551 // CNNVD: CNNVD-201505-064 // NVD: CVE-2015-2347

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-2347
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-2347
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201505-064
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-80308
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2015-2347
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-80308
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-80308 // JVNDB: JVNDB-2015-002551 // CNNVD: CNNVD-201505-064 // NVD: CVE-2015-2347

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-80308 // JVNDB: JVNDB-2015-002551 // NVD: CVE-2015-2347

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201505-064

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 131460 // CNNVD: CNNVD-201505-064

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-002551

PATCH

title:

Security Notice - Statement about Two Vulnerabilities in SEQ Analyst Product

url:

http://www.huawei.com/en/security/psirt/security-bulletins/security-notices/hw-424267.htm

Trust: 0.8

sources: JVNDB: JVNDB-2015-002551

EXTERNAL IDS

db:	NVD	id:	CVE-2015-2347	Trust: 2.6
db:	PACKETSTORM	id:	131460	Trust: 1.8
db:	JVNDB	id:	JVNDB-2015-002551	Trust: 0.8
db:	CNNVD	id:	CNNVD-201505-064	Trust: 0.7
db:	VULHUB	id:	VHN-80308	Trust: 0.1

sources: VULHUB: VHN-80308 // JVNDB: JVNDB-2015-002551 // PACKETSTORM: 131460 // CNNVD: CNNVD-201505-064 // NVD: CVE-2015-2347

REFERENCES

url:	http://www.huawei.com/en/security/psirt/security-bulletins/security-notices/hw-424267.htm	Trust: 1.7
url:	http://seclists.org/fulldisclosure/2015/apr/43	Trust: 1.7
url:	http://packetstormsecurity.com/files/131460/huawei-seq-analyst-cross-site-scripting.html	Trust: 1.7
url:	https://drive.google.com/folderview?id=0b-lwhbwdk3p9fnbllwzqwlzqnnb0b2xhwfpyuwt3bmy3y0lpuhvlnm9vtulfcwhythlzsuu&usp=sharing	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2347	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2347	Trust: 0.8
url:	https://drive.google.com/folderview?id=0b-lwhbwdk3p9fnbllwzqwlzqnnb0b2xhwfpyuwt3bmy3y0lpuhvlnm9vtulfcwhythlzsuu&usp=sharing	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-2347	Trust: 0.1
url:	https://www.uceka.com	Trust: 0.1
url:	http://download.huawei.com/download/filedownload.do?modelid=bulletin&refid=in0000056669,101	Trust: 0.1

sources: VULHUB: VHN-80308 // JVNDB: JVNDB-2015-002551 // PACKETSTORM: 131460 // CNNVD: CNNVD-201505-064 // NVD: CVE-2015-2347

CREDITS

Ugur Cihan KOC

Trust: 0.1

sources: PACKETSTORM: 131460

SOURCES

db:	VULHUB	id:	VHN-80308
db:	JVNDB	id:	JVNDB-2015-002551
db:	PACKETSTORM	id:	131460
db:	CNNVD	id:	CNNVD-201505-064
db:	NVD	id:	CVE-2015-2347

LAST UPDATE DATE

2025-04-13T23:41:21.042000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-80308	date:	2015-05-11T00:00:00
db:	JVNDB	id:	JVNDB-2015-002551	date:	2015-05-12T00:00:00
db:	CNNVD	id:	CNNVD-201505-064	date:	2015-05-11T00:00:00
db:	NVD	id:	CVE-2015-2347	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-80308	date:	2015-05-08T00:00:00
db:	JVNDB	id:	JVNDB-2015-002551	date:	2015-05-12T00:00:00
db:	PACKETSTORM	id:	131460	date:	2015-04-16T05:39:49
db:	CNNVD	id:	CNNVD-201505-064	date:	2015-05-11T00:00:00
db:	NVD	id:	CVE-2015-2347	date:	2015-05-08T14:59:01.400