{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-06-10T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site request forgery (CSRF) vulnerability in sec/content/sec_asa_users_local_db_add.html in the management web interface in Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400, 6855, 6900, 10K, and 6860 with firmware 6.4.5.R02, 6.4.6.R01, 6.6.4.R01, 6.6.5.R02, 7.3.2.R01, 7.3.3.R01, 7.3.4.R01, and 8.1.1.R01 allows remote attackers to hijack the authentication of administrators for requests that create users via a crafted request."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-09T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20150610 [RT-SA-2015-004] Alcatel-Lucent OmniSwitch Web Interface Cross-Site Request Forgery", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/535732/100/0/threaded"}, {"tags": ["x_refsource_MISC"], "url": "https://www.redteam-pentesting.de/advisories/rt-sa-2015-004"}, {"name": "1032544", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1032544"}, {"name": "20150610 [RT-SA-2015-004] Alcatel-Lucent OmniSwitch Web Interface Cross-Site Request Forgery", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2015/Jun/23"}, {"name": "75121", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/75121"}, {"name": "37261", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/37261/"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/132236/Alcatel-Lucent-OmniSwitch-Web-Interface-Cross-Site-Request-Forgery.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-2805", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site request forgery (CSRF) vulnerability in sec/content/sec_asa_users_local_db_add.html in the management web interface in Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400, 6855, 6900, 10K, and 6860 with firmware 6.4.5.R02, 6.4.6.R01, 6.6.4.R01, 6.6.5.R02, 7.3.2.R01, 7.3.3.R01, 7.3.4.R01, and 8.1.1.R01 allows remote attackers to hijack the authentication of administrators for requests that create users via a crafted request."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20150610 [RT-SA-2015-004] Alcatel-Lucent OmniSwitch Web Interface Cross-Site Request Forgery", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/535732/100/0/threaded"}, {"name": "https://www.redteam-pentesting.de/advisories/rt-sa-2015-004", "refsource": "MISC", "url": "https://www.redteam-pentesting.de/advisories/rt-sa-2015-004"}, {"name": "1032544", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1032544"}, {"name": "20150610 [RT-SA-2015-004] Alcatel-Lucent OmniSwitch Web Interface Cross-Site Request Forgery", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2015/Jun/23"}, {"name": "75121", "refsource": "BID", "url": "http://www.securityfocus.com/bid/75121"}, {"name": "37261", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/37261/"}, {"name": "http://packetstormsecurity.com/files/132236/Alcatel-Lucent-OmniSwitch-Web-Interface-Cross-Site-Request-Forgery.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/132236/Alcatel-Lucent-OmniSwitch-Web-Interface-Cross-Site-Request-Forgery.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T05:24:38.893Z"}, "title": "CVE Program Container", "references": [{"name": "20150610 [RT-SA-2015-004] Alcatel-Lucent OmniSwitch Web Interface Cross-Site Request Forgery", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/535732/100/0/threaded"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.redteam-pentesting.de/advisories/rt-sa-2015-004"}, {"name": "1032544", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1032544"}, {"name": "20150610 [RT-SA-2015-004] Alcatel-Lucent OmniSwitch Web Interface Cross-Site Request Forgery", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2015/Jun/23"}, {"name": "75121", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/75121"}, {"name": "37261", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/37261/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/132236/Alcatel-Lucent-OmniSwitch-Web-Interface-Cross-Site-Request-Forgery.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-2805", "datePublished": "2015-06-16T16:00:00", "dateReserved": "2015-03-30T00:00:00", "dateUpdated": "2024-08-06T05:24:38.893Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:alcatel-lucent:omniswitch_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "146D0494-CC3B-47E9-8798-631AA8015A73", "versionEndIncluding": "6.4.5.r02", "vulnerable": true}, {"criteria": "cpe:2.3:o:alcatel-lucent:omniswitch_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "8B629D98-2C6F-4937-A3B3-CD3FEE2B61FD", "versionEndIncluding": "6.4.6.r01", "vulnerable": true}, {"criteria": "cpe:2.3:o:alcatel-lucent:omniswitch_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A8CE49B7-937F-4CEE-9A3D-1D94C6A0C0FE", "versionEndIncluding": "6.6.4.r01", "vulnerable": true}, {"criteria": "cpe:2.3:o:alcatel-lucent:omniswitch_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB4AC6CF-716C-4A40-B0BB-8C652565FD52", "versionEndIncluding": "6.6.5.r02", "vulnerable": true}, {"criteria": "cpe:2.3:o:alcatel-lucent:omniswitch_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "FB40E084-75AF-4851-A2DC-A9D6C175C1E4", "versionEndIncluding": "7.3.2.r01", "vulnerable": true}, {"criteria": "cpe:2.3:o:alcatel-lucent:omniswitch_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "F70B59CA-426A-49A1-BD75-516FBC0A4935", "versionEndIncluding": "7.3.3.r01", "vulnerable": true}, {"criteria": "cpe:2.3:o:alcatel-lucent:omniswitch_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C61B0959-BF8F-4645-9690-B5E7D43CD0D1", "versionEndIncluding": "7.3.4.r01", "vulnerable": true}, {"criteria": "cpe:2.3:o:alcatel-lucent:omniswitch_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B01558D-907A-4746-A09C-5761A6EE5B8C", "versionEndIncluding": "8.1.1.r01", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:alcatel-lucent:omniswitch_10k:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7C154AC-D64C-4CB0-99E6-1792B23237BE", "vulnerable": false}, {"criteria": "cpe:2.3:h:alcatel-lucent:omniswitch_6250:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC17F6AB-A4A7-4DCF-A38D-567A626BAC9D", "vulnerable": false}, {"criteria": "cpe:2.3:h:alcatel-lucent:omniswitch_6400:*:*:*:*:*:*:*:*", "matchCriteriaId": "6E628D41-4AC8-4C60-8353-028588BAE9C0", "vulnerable": false}, {"criteria": "cpe:2.3:h:alcatel-lucent:omniswitch_6450:*:*:*:*:*:*:*:*", "matchCriteriaId": "A4D9AB0D-317D-4147-B944-02922FC3E14A", "vulnerable": false}, {"criteria": "cpe:2.3:h:alcatel-lucent:omniswitch_6850e:*:*:*:*:*:*:*:*", "matchCriteriaId": "2026FD8F-2734-4927-AE3D-F346B6A3F7DD", "vulnerable": false}, {"criteria": "cpe:2.3:h:alcatel-lucent:omniswitch_6855:*:*:*:*:*:*:*:*", "matchCriteriaId": "9CA46E94-6195-4AD9-A6C1-97F309D57614", "vulnerable": false}, {"criteria": "cpe:2.3:h:alcatel-lucent:omniswitch_6860:*:*:*:*:*:*:*:*", "matchCriteriaId": "E6558791-5C3C-451C-B8C9-498A27555248", "vulnerable": false}, {"criteria": "cpe:2.3:h:alcatel-lucent:omniswitch_6900:*:*:*:*:*:*:*:*", "matchCriteriaId": "C314BC45-D037-4FD9-B893-A737358EA851", "vulnerable": false}, {"criteria": "cpe:2.3:h:alcatel-lucent:omniswitch_9000e:*:*:*:*:*:*:*:*", "matchCriteriaId": "30CE6E3F-9C8A-4EC8-9DF5-DA618C4985C6", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Cross-site request forgery (CSRF) vulnerability in sec/content/sec_asa_users_local_db_add.html in the management web interface in Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400, 6855, 6900, 10K, and 6860 with firmware 6.4.5.R02, 6.4.6.R01, 6.6.4.R01, 6.6.5.R02, 7.3.2.R01, 7.3.3.R01, 7.3.4.R01, and 8.1.1.R01 allows remote attackers to hijack the authentication of administrators for requests that create users via a crafted request."}, {"lang": "es", "value": "Vulnerabilidad de CSRF en sec/content/sec_asa_users_local_db_add.html en la interfaz de gesti\u00f3n en Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400, 6855, 6900, 10K, y 6860 con firmware 6.4.5.R02, 6.4.6.R01, 6.6.4.R01, 6.6.5.R02, 7.3.2.R01, 7.3.3.R01, 7.3.4.R01, y 8.1.1.R01 permite a atacantes remotos secuestrar la autenticaci\u00f3n de administradores para solicitudes que crean usuarios a trav\u00e9s de una solicitud manipulada."}], "id": "CVE-2015-2805", "lastModified": "2024-11-21T02:28:06.697", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2015-06-16T16:59:01.113", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://packetstormsecurity.com/files/132236/Alcatel-Lucent-OmniSwitch-Web-Interface-Cross-Site-Request-Forgery.html"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://seclists.org/fulldisclosure/2015/Jun/23"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/535732/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/75121"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1032544"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://www.exploit-db.com/exploits/37261/"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://www.redteam-pentesting.de/advisories/rt-sa-2015-004"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://packetstormsecurity.com/files/132236/Alcatel-Lucent-OmniSwitch-Web-Interface-Cross-Site-Request-Forgery.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://seclists.org/fulldisclosure/2015/Jun/23"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/535732/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/75121"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1032544"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://www.exploit-db.com/exploits/37261/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://www.redteam-pentesting.de/advisories/rt-sa-2015-004"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}