The combination of both allows an attacker (with a little help from the victim) to remotely execute code on the device with root privileges, by sending a specifically crafted SMS.
The vendor has been notified on the 2013/03/18.
- Huawei WebUI XSS in SMS inbox page
But a specifically crafted SMS can bypass this flawed function and inject HTML tags in SMS inbox page:
- Huawei WebUI Shell injection (CVE-2013-2612)
Now, you may try to combine them.