Security Advisory - VCM User Horizontal Privilege Escalation Vulnerability
- SA No:SA No: Huawei-SA-20151125-01-VCM
- Initial Release Date: 2015-11-25
- Last Release Date: 2015-11-25
Huawei Video Content Management (VCM) system does not properly authenticate online users' identities and privileges, which leads to users' horizontal privilege escalation. An attacker may craft malicious messages, send them to the server, and perform illegitimate operations on cases created by other users, affecting other user operations and use (Vulnerability ID: HWPSIRT-2015-07043).
This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-8332.
Huawei has released software updates to fix this vulnerability. This advisory is available at the following link:
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-462985.htm|
Product Name |
Affected Version |
Resolved Product and Version |
|
VCM |
V100R001C10B010 |
V100R001C10SPC001 |
The attacker can perform operations (such as modification) on cases created by other users.
The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).
Base Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Temporal Score: 5.0 (E:F/RL:O/RC:C)
1. Prerequisites:
The attacker logs in to VCM as an authorized user.
2. Attacking procedure:
The attacker logs in to the client, sends maliciously crafted messages to the server, and perform operations (such as modification) on other users' cases.
For security problems about Huawei products and solutions, please contactPSIRT@huawei.com.
For general problems about Huawei products and solutions, please directly contact Huawei TAC (Huawei Technical Assistance Center) to request the configuration or technical assistance.
2015-11-25 V1.0 INITIAL
None
