Vulnerabilities > CVE-2013-4629 - Credentials Management vulnerability in Huawei VP 9610 and VP 9620

CVSS 8.5 - HIGH

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

SINGLE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

huawei

CWE-255

nessus

NVD

Published: 2013-06-20

Updated: 2013-06-21

Summary

The Huawei viewpoint VP9610 and VP9620 units for the Huawei Video Conference system do not update the Session ID upon successful establishment of a login session, which allows remote authenticated users to hijack sessions via an unspecified interception method.

Vulnerable Configurations

Part	Description	Count
Hardware	Huawei Huawei VP 9610 V100R002C02B019Sp05 Huawei VP 9620 V100R002C02B019Sp05	2

Common Weakness Enumeration (CWE)

CWE-255 - Credentials Management

Nessus

NASL family	Huawei Local Security Checks
NASL id	HUAWEI-SA-20130513-01-VP.NASL
description	The remote host is a Huawei switch running a firmware version that is affected by a fixed session ID vulnerability. A remote, unauthenticated attacker can exploit this to spoof a legitimate user.
last seen	2020-06-01
modified	2020-06-02
plugin id	77335
published	2014-08-22
reporter	This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/77335
title	Huawei VP9610 / 9620 Fixed Session ID (HWNSIRT-2013-0318)

References

http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-261327.htm