Software Engineering Institute

Huawei E355 wireless broadband modems include a web interface for administration and additional services. The web interface allows users to receive SMS messages using the connected cellular network.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The web interface is vulnerable to a stored cross-site scripting vulnerability. The vulnerability can be exploited if a victim views SMS messages that contain Javascript using the web interface.

The following device configuration was reported to be vulnerable. Other versions may be affected:
Hardware version: CH1E355SM
Software version: 21.157.37.01.910
Web UI version: 11.001.08.00.03

A malicious attacker may be able to execute arbitrary script in the context of the victim's browser.

We are currently unaware of a practical solution to this problem. In the meantime, please consider the following workaround:

Disable scripting

Disable scripting in your web browser, as specified in the Securing Your Web Browser document.