Vulnerability Note VU#325636
Huawei E303 contains a cross-site request forgery vulnerability
The built-in web interface of Huawei E303 devices contains a cross-site request forgery vulnerability.
Huawei E303 wireless broadband modems include a web interface for administration and additional services. The web interface allows users to send and receive SMS messages using the connected cellular network.
CWE-352: Cross-Site Request Forgery (CSRF)
A malicious site could send SMS messages on behalf of the device, possibly incurring SMS charges.
Huawei has stated they are currently working on a fix for this issue. In the meantime, CERT/CC is unaware of a practical solution to this problem.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Huawei Technologies||Affected||10 Mar 2014||09 May 2014|
CVSS Metrics (Learn More)
Thanks to Benjamin Daniel Mussler for reporting this vulnerability.
This document was written by Todd Lewellen.
- CVE IDs: CVE-2014-2946
- Date Public: 30 May 2014
- Date First Published: 30 May 2014
- Date Last Updated: 05 Jun 2014
- Document Revision: 9
If you have feedback, comments, or additional information about this vulnerability, please send us email.