Vulnerability Note VU#325636
Huawei E303 contains a cross-site request forgery vulnerability
The built-in web interface of Huawei E303 devices contains a cross-site request forgery vulnerability.
Huawei E303 wireless broadband modems include a web interface for administration and additional services. The web interface allows users to send and receive SMS messages using the connected cellular network.
CWE-352: Cross-Site Request Forgery (CSRF)
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept-Encoding: gzip, deflate
The following device configuration was reported to be vulnerable. Other versions may be affected:
Software version: 22.157.18.00.858
Hardware version: CH2E303SM
Web UI version: 11.010.06.01.858
A malicious site could send SMS messages on behalf of the device, possibly incurring SMS charges.
Huawei has stated they are currently working on a fix for this issue. In the meantime, CERT/CC is unaware of a practical solution to this problem.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Huawei Technologies||Affected||10 Mar 2014||09 May 2014|
CVSS Metrics (Learn More)
Thanks to Benjamin Daniel Mussler for reporting this vulnerability.
This document was written by Todd Lewellen.
- CVE IDs: CVE-2014-2946
- Date Public: 30 May 2014
- Date First Published: 30 May 2014
- Date Last Updated: 05 Jun 2014
- Document Revision: 9
If you have feedback, comments, or additional information about this vulnerability, please send us email.