SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   Alcatel-Lucent OmniSwitch Vendors:   Alcatel-Lucent
Alcatel OmniSwitch Web Interface Flaw Lets Remote Users Conduct Cross-Site Request Forgery Attacks
SecurityTracker Alert ID:  1032544
SecurityTracker URL:  http://securitytracker.com/id/1032544
CVE Reference:   CVE-2015-2805   (Links to External Site)
Date:  Jun 10 2015
Impact:   Modification of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in Alcatel OmniSwitch. A remote user can conduct cross-site request forgery attacks.

The OmniSwitch web interface does not properly validate user-supplied requests. A remote user can create specially crafted HTML that, when loaded by the target authenticated administrator, will take actions on the target interface acting as the target administrator.

The following OmniSwitch models are affected; 6450, 6250, 6850E, 9000E, 6400, 6855, 6900, 10K, 6860

The following versions are affected:

AOS 6.4.5.R02
AOS 6.4.6.R01
AOS 6.6.4.R01
AOS 6.6.5.R02
AOS 7.3.2.R01
AOS 7.3.3.R01
AOS 7.3.4.R01
AOS 8.1.1.R01

The vendor was notified on April 1, 2015.

The original advisory is available at:

https://www.redteam-pentesting.de/advisories/rt-sa-2015-004

RedTeam Pentesting reported this vulnerability.

Impact:   A remote user can take actions on the target site acting as the target user.
Solution:   No solution was available at the time of this entry.

The vendor plans to issue a fix by the end of July 2015.

Vendor URL:  enterprise.alcatel-lucent.com/ (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC