Jiang Zhiwei

**Name of the Vulnerable Software and Affected Versions** Huawei eSpace IAD versions V300R002C01SPC100 and earlier **Description** The issue allows an attacker to check and download fault information by accessing a special URL, resulting in an information leak. **Recommendations** For versions V300R002C01SPC100 and earlier, restrict access to the special URL used to download fault information until a fix is available.

**Name of the Vulnerable Software and Affected Versions** Huawei eSpace Integrated Access Device (IAD) versions V300R001C03 through V300R001C07, V300R001C20 **Description** The issue allows an attacker to trick a user into clicking a URL containing malicious scripts, potentially leading to the obtainment of user information or session hijacking, due to a cross-site scripting (XSS) issue. **Recommendations** For versions V300R001C03 through V300R001C07 and V300R001C20, consider restricting access to potentially vulnerable URLs and avoid clicking on suspicious links to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Huawei OceanStor ISM versions prior to V200R001C04SPC200 **Description** A cross-site scripting (XSS) issue exists in the management interface, allowing remote attackers to inject arbitrary web script or HTML. This can be achieved via the `loginName` parameter to "cgi-bin/doLogin CgiEntry" and possibly other unspecified vectors. **Recommendations** For versions prior to V200R001C04SPC200, update to V200R001C04SPC200 or later to resolve the issue. As a temporary workaround, consider restricting access to the "cgi-bin/doLogin CgiEntry" endpoint to minimize the risk of exploitation. Avoid using the `loginName` parameter in the affected endpoint until the issue is resolved.