{"vuid":"VU#688812","idnumber":"688812","name":"Huawei E355 contains a stored cross-site scripting vulnerability","keywords":["CWE-79","XSS","Huawei","E355"],"overview":"The Huawei E355 built-in web interface contains a stored cross-site scripting vulnerability.","clean_desc":"Huawei E355 wireless broadband modems include a web interface for administration and additional services. The web interface allows users to receive SMS messages using the connected cellular network. CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nThe web interface is vulnerable to a stored cross-site scripting vulnerability. The vulnerability can be exploited if a victim views SMS messages that contain Javascript using the web interface. The following device configuration was reported to be vulnerable. Other versions may be affected: Hardware version: CH1E355SM\nSoftware version: 21.157.37.01.910\nWeb UI version: 11.001.08.00.03","impact":"A malicious attacker may be able to execute arbitrary script in the context of the victim's browser.","resolution":"We are currently unaware of a practical solution to this problem. In the meantime, please consider the following workaround:","workarounds":"Disable scripting Disable scripting in your web browser, as specified in the Securing Your Web Browser document.","sysaffected":"","thanks":"Thanks to Jimson James for reporting this vulnerability.","author":"This document was written by Todd Lewellen.","public":["http://www.huawei.com","http://cwe.mitre.org/data/definitions/79.html"],"cveids":["CVE-2014-2968"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2014-04-14T14:13:34Z","publicdate":"2014-07-21T00:00:00Z","datefirstpublished":"2014-07-21T13:24:18Z","dateupdated":"2014-07-21T13:24:22Z","revision":11,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"P","cvss_availabilityimpact":"N","cvss_exploitablity":null,"cvss_remediationlevel":"W","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"L","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"6.4","cvss_basevector":"AV:N/AC:L/Au:N/C:P/I:P/A:N","cvss_temporalscore":"5.5","cvss_environmentalscore":"1.48560914073625","cvss_environmentalvector":"CDP:L/TD:L/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}