The built-in web interface of Huawei E303 devices contains a cross-site request forgery vulnerability.
Huawei E303 wireless broadband modems include a web interface for administration and additional services. The web interface allows users to send and receive SMS messages using the connected cellular network.
CWE-352: Cross-Site Request Forgery (CSRF)
A malicious site could send SMS messages on behalf of the device, possibly incurring SMS charges.
Huawei has stated they are currently working on a fix for this issue. In the meantime, CERT/CC is unaware of a practical solution to this problem.
Thanks to Benjamin Daniel Mussler for reporting this vulnerability.
This document was written by Todd Lewellen.
|Date First Published:||2014-05-30|
|Date Last Updated:||2014-06-05 21:16 UTC|