CVE-2014-2946

Name of the Vulnerable Software and Affected Versions Huawei E303 modems with software 22.157.18.00.858 Huawei Web UI version 11.010.06.01.858

Description A cross-site request forgery (CSRF) issue exists in the api/sms/send-sms endpoint of the Web UI, allowing remote attackers to hijack administrator authentication for requests that perform API operations and send SMS messages. This can be achieved via a request element in an XML document.

Recommendations For Huawei E303 modems with software 22.157.18.00.858, consider restricting access to the api/sms/send-sms endpoint until a patch is available. For Huawei Web UI version 11.010.06.01.858, avoid using the Web UI for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.