Cross-site request forgery (CSRF) vulnerability in sec/content/sec_asa_users_local_db_add.html in the management web interface in Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400, 6855, 6900, 10K, and 6860 with firmware 6.4.5.R02, 6.4.6.R01, 6.6.4.R01, 6.6.5.R02, 7.3.2.R01, 7.3.3.R01, 7.3.4.R01, and 8.1.1.R01 allows remote attackers to hijack the authentication of administrators for requests that create users via a crafted request.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P
Vendors Products
Alcatel-lucent
  • Omniswitch 6860
  • Omniswitch 10k
  • Omniswitch 6900
  • Omniswitch 6850e
  • Omniswitch 6400
  • Omniswitch 6855
  • Omniswitch 6250
  • Omniswitch 6450
  • Omniswitch Firmware
  • Omniswitch 9000e

Configuration 1 [-]

AND
OR cpe:2.3:o:alcatel-lucent:omniswitch_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:alcatel-lucent:omniswitch_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:alcatel-lucent:omniswitch_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:alcatel-lucent:omniswitch_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:alcatel-lucent:omniswitch_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:alcatel-lucent:omniswitch_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:alcatel-lucent:omniswitch_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:alcatel-lucent:omniswitch_firmware:*:*:*:*:*:*:*:*
OR cpe:2.3:h:alcatel-lucent:omniswitch_10k:*:*:*:*:*:*:*:*
cpe:2.3:h:alcatel-lucent:omniswitch_6250:*:*:*:*:*:*:*:*
cpe:2.3:h:alcatel-lucent:omniswitch_6400:*:*:*:*:*:*:*:*
cpe:2.3:h:alcatel-lucent:omniswitch_6450:*:*:*:*:*:*:*:*
cpe:2.3:h:alcatel-lucent:omniswitch_6850e:*:*:*:*:*:*:*:*
cpe:2.3:h:alcatel-lucent:omniswitch_6855:*:*:*:*:*:*:*:*
cpe:2.3:h:alcatel-lucent:omniswitch_6860:*:*:*:*:*:*:*:*
cpe:2.3:h:alcatel-lucent:omniswitch_6900:*:*:*:*:*:*:*:*
cpe:2.3:h:alcatel-lucent:omniswitch_9000e:*:*:*:*:*:*:*:*
References
Link Resource
http://packetstormsecurity.com/files/132236/Alcatel-Lucent-OmniSwitch-Web-Interface-Cross-Site-Request-Forgery.html Exploit
http://seclists.org/fulldisclosure/2015/Jun/23 Exploit
http://www.securityfocus.com/archive/1/535732/100/0/threaded
http://www.securityfocus.com/bid/75121
http://www.securitytracker.com/id/1032544
https://www.exploit-db.com/exploits/37261/ Exploit
https://www.redteam-pentesting.de/advisories/rt-sa-2015-004 Exploit
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2015-06-16T16:00:00

Updated: 2018-10-09T18:57:01

Reserved: 2015-03-30T00:00:00

Link: CVE-2015-2805

JSON object: View

cve-icon NVD Information

Status : Modified

Published: 2015-06-16T16:59:01.113

Modified: 2018-10-09T19:56:24.607

Link: CVE-2015-2805

JSON object: View

cve-icon Redhat Information

No data.

CWE