CVE-2015-2805

Cross-site request forgery (CSRF) vulnerability in sec/content/sec_asa_users_local_db_add.html in the management web interface in Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400, 6855, 6900, 10K, and 6860 with firmware 6.4.5.R02, 6.4.6.R01, 6.6.4.R01, 6.6.5.R02, 7.3.2.R01, 7.3.3.R01, 7.3.4.R01, and 8.1.1.R01 allows remote attackers to hijack the authentication of administrators for requests that create users via a crafted request.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 78%
VendorProductVersion
alcatel-lucentomniswitch_firmware
𝑥
≤ 6.4.5.r02
alcatel-lucentomniswitch_firmware
𝑥
≤ 6.4.6.r01
alcatel-lucentomniswitch_firmware
𝑥
≤ 6.6.4.r01
alcatel-lucentomniswitch_firmware
𝑥
≤ 6.6.5.r02
alcatel-lucentomniswitch_firmware
𝑥
≤ 7.3.2.r01
alcatel-lucentomniswitch_firmware
𝑥
≤ 7.3.3.r01
alcatel-lucentomniswitch_firmware
𝑥
≤ 7.3.4.r01
alcatel-lucentomniswitch_firmware
𝑥
≤ 8.1.1.r01
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/132236/Alcatel-Lucent-OmniSwitch-Web-Interface-Cross-Site-Request-Forgery.html
http://seclists.org/fulldisclosure/2015/Jun/23
http://www.securityfocus.com/archive/1/535732/100/0/threaded
http://www.securityfocus.com/bid/75121
http://www.securitytracker.com/id/1032544
https://www.exploit-db.com/exploits/37261/
https://www.redteam-pentesting.de/advisories/rt-sa-2015-004
http://packetstormsecurity.com/files/132236/Alcatel-Lucent-OmniSwitch-Web-Interface-Cross-Site-Request-Forgery.html
http://seclists.org/fulldisclosure/2015/Jun/23
http://www.securityfocus.com/archive/1/535732/100/0/threaded
http://www.securityfocus.com/bid/75121
http://www.securitytracker.com/id/1032544
https://www.exploit-db.com/exploits/37261/
https://www.redteam-pentesting.de/advisories/rt-sa-2015-004