Vulnerability Description
Cross-site request forgery (CSRF) vulnerability in sec/content/sec_asa_users_local_db_add.html in the management web interface in Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400, 6855, 6900, 10K, and 6860 with firmware 6.4.5.R02, 6.4.6.R01, 6.6.4.R01, 6.6.5.R02, 7.3.2.R01, 7.3.3.R01, 7.3.4.R01, and 8.1.1.R01 allows remote attackers to hijack the authentication of administrators for requests that create users via a crafted request.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alcatel-Lucent | Omniswitch Firmware | <= 6.4.5.r02 |
| Alcatel-Lucent | Omniswitch 10K | All versions |
| Alcatel-Lucent | Omniswitch 6250 | All versions |
| Alcatel-Lucent | Omniswitch 6400 | All versions |
| Alcatel-Lucent | Omniswitch 6450 | All versions |
| Alcatel-Lucent | Omniswitch 6850E | All versions |
| Alcatel-Lucent | Omniswitch 6855 | All versions |
| Alcatel-Lucent | Omniswitch 6860 | All versions |
| Alcatel-Lucent | Omniswitch 6900 | All versions |
| Alcatel-Lucent | Omniswitch 9000E | All versions |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/132236/Alcatel-Lucent-OmniSwitch-Web-InterfExploit
- http://seclists.org/fulldisclosure/2015/Jun/23Exploit
- http://www.securityfocus.com/archive/1/535732/100/0/threaded
- http://www.securityfocus.com/bid/75121
- http://www.securitytracker.com/id/1032544
- https://www.exploit-db.com/exploits/37261/Exploit
- https://www.redteam-pentesting.de/advisories/rt-sa-2015-004Exploit
- http://packetstormsecurity.com/files/132236/Alcatel-Lucent-OmniSwitch-Web-InterfExploit
- http://seclists.org/fulldisclosure/2015/Jun/23Exploit
- http://www.securityfocus.com/archive/1/535732/100/0/threaded
- http://www.securityfocus.com/bid/75121
- http://www.securitytracker.com/id/1032544
- https://www.exploit-db.com/exploits/37261/Exploit
- https://www.redteam-pentesting.de/advisories/rt-sa-2015-004Exploit
FAQ
What is CVE-2015-2805?
CVE-2015-2805 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Cross-site request forgery (CSRF) vulnerability in sec/content/sec_asa_users_local_db_add.html in the management web interface in Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400, 6855, 6900, ...
How severe is CVE-2015-2805?
CVE-2015-2805 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-2805?
Check the references section above for vendor advisories and patch information. Affected products include: Alcatel-Lucent Omniswitch Firmware, Alcatel-Lucent Omniswitch 10K, Alcatel-Lucent Omniswitch 6250, Alcatel-Lucent Omniswitch 6400, Alcatel-Lucent Omniswitch 6450.