Vulnerability-Lookup

CNVD-2017-24375

Vulnerability from cnvd - Published: 2017-09-02

Title

Huawei VMall越权漏洞

Description

Huawei VMall是华为旗下面向全国服务的电子商务平台。 Huawei VMall存在越权漏洞，未获取访问权限的本地攻击者可利用该漏洞诱使用户安装恶意手机应用，向外发出HTTP请求并执行Javascript代码，占用系统资源或获取系统信息。

Severity

低

Patch Name

Huawei VMall越权漏洞的补丁

Patch Description

Huawei VMall是华为旗下面向全国服务的电子商务平台。 Huawei VMall存在越权漏洞，未获取访问权限的本地攻击者可利用该漏洞诱使用户安装恶意手机应用，向外发出HTTP请求并执行Javascript代码，占用系统资源或获取系统信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： http://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20170901-01-smartphone-cn

Reference

http://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20170901-01-smartphone-cn

Impacted products

Name
Huawei VMall for Android <1.5.8.5

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-8153"
    }
  },
  "description": "Huawei VMall\u662f\u534e\u4e3a\u65d7\u4e0b\u9762\u5411\u5168\u56fd\u670d\u52a1\u7684\u7535\u5b50\u5546\u52a1\u5e73\u53f0\u3002\r\n\r\nHuawei VMall\u5b58\u5728\u8d8a\u6743\u6f0f\u6d1e\uff0c\u672a\u83b7\u53d6\u8bbf\u95ee\u6743\u9650\u7684\u672c\u5730\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bf1\u4f7f\u7528\u6237\u5b89\u88c5\u6076\u610f\u624b\u673a\u5e94\u7528\uff0c\u5411\u5916\u53d1\u51faHTTP\u8bf7\u6c42\u5e76\u6267\u884cJavascript\u4ee3\u7801\uff0c\u5360\u7528\u7cfb\u7edf\u8d44\u6e90\u6216\u83b7\u53d6\u7cfb\u7edf\u4fe1\u606f\u3002",
  "discovererName": "Erez Yalon",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttp://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20170901-01-smartphone-cn",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-24375",
  "openTime": "2017-09-02",
  "patchDescription": "Huawei VMall\u662f\u534e\u4e3a\u65d7\u4e0b\u9762\u5411\u5168\u56fd\u670d\u52a1\u7684\u7535\u5b50\u5546\u52a1\u5e73\u53f0\u3002\r\n\r\nHuawei VMall\u5b58\u5728\u8d8a\u6743\u6f0f\u6d1e\uff0c\u672a\u83b7\u53d6\u8bbf\u95ee\u6743\u9650\u7684\u672c\u5730\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bf1\u4f7f\u7528\u6237\u5b89\u88c5\u6076\u610f\u624b\u673a\u5e94\u7528\uff0c\u5411\u5916\u53d1\u51faHTTP\u8bf7\u6c42\u5e76\u6267\u884cJavascript\u4ee3\u7801\uff0c\u5360\u7528\u7cfb\u7edf\u8d44\u6e90\u6216\u83b7\u53d6\u7cfb\u7edf\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Huawei VMall\u8d8a\u6743\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Huawei VMall for Android \u003c1.5.8.5"
  },
  "referenceLink": "http://www.huawei.com/cn/psirt/security-advisories/2017/huawei-sa-20170901-01-smartphone-cn",
  "serverity": "\u4f4e",
  "submitTime": "2017-09-02",
  "title": "Huawei VMall\u8d8a\u6743\u6f0f\u6d1e"
}

CVE-2017-8153 (GCVE-0-2017-8153)

Vulnerability from cvelistv5 – Published: 2017-11-22 19:00 – Updated: 2024-09-17 01:27

Summary

Huawei VMall (for Android) with the versions before 1.5.8.5 have a privilege elevation vulnerability due to improper design. An attacker can trick users into installing a malicious app which can send out HTTP requests and execute JavaScript code in web pages without obtaining the Internet access permission. Successful exploit could lead to resource occupation or information leak.

Severity ?

No CVSS data available.

CWE

Privilege Escalation

Assigner

huawei

References

URL

Tags

http://www.huawei.com/en/psirt/security-advisorie…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Huawei Technologies Co., Ltd.	VMall (for Android)	Affected: The versions before VMall 1.5.8.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T16:27:22.904Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170901-01-smartphone-en"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "VMall (for Android)",
          "vendor": "Huawei Technologies Co., Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "The versions before VMall 1.5.8.5"
            }
          ]
        }
      ],
      "datePublic": "2017-11-15T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Huawei VMall (for Android) with the versions before 1.5.8.5 have a privilege elevation vulnerability due to improper design. An attacker can trick users into installing a malicious app which can send out HTTP requests and execute JavaScript code in web pages without obtaining the Internet access permission. Successful exploit could lead to resource occupation or information leak."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Privilege Escalation",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-11-22T18:57:01",
        "orgId": "25ac1063-e409-4190-8079-24548c77ea2e",
        "shortName": "huawei"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170901-01-smartphone-en"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@huawei.com",
          "DATE_PUBLIC": "2017-11-15T00:00:00",
          "ID": "CVE-2017-8153",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "VMall (for Android)",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "The versions before VMall 1.5.8.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Huawei Technologies Co., Ltd."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Huawei VMall (for Android) with the versions before 1.5.8.5 have a privilege elevation vulnerability due to improper design. An attacker can trick users into installing a malicious app which can send out HTTP requests and execute JavaScript code in web pages without obtaining the Internet access permission. Successful exploit could lead to resource occupation or information leak."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Privilege Escalation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170901-01-smartphone-en",
              "refsource": "CONFIRM",
              "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170901-01-smartphone-en"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e",
    "assignerShortName": "huawei",
    "cveId": "CVE-2017-8153",
    "datePublished": "2017-11-22T19:00:00Z",
    "dateReserved": "2017-04-25T00:00:00",
    "dateUpdated": "2024-09-17T01:27:00.762Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-24375

CVE-2017-8153 (GCVE-0-2017-8153)

Tags

Sightings

Nomenclature