CVE-2015-2805

Sažetak

Cross-site request forgery (CSRF) vulnerability in sec/content/sec_asa_users_local_db_add.html in the management web interface in Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400, 6855, 6900, 10K, and 6860 with firmware 6.4.5.R02, 6.4.6.R01, 6.6.4.R01, 6.6.5.R02, 7.3.2.R01, 7.3.3.R01, 7.3.4.R01, and 8.1.1.R01 allows remote attackers to hijack the authentication of administrators for requests that create users via a crafted request.

Reference

http://packetstormsecurity.com/files/132236/Alcatel-Lucent-OmniSwitch-Web-Interface-Cross-Site-Request-Forgery.html
http://seclists.org/fulldisclosure/2015/Jun/23
http://www.securityfocus.com/archive/1/535732/100/0/threaded
http://www.securityfocus.com/bid/75121
http://www.securitytracker.com/id/1032544
https://www.exploit-db.com/exploits/37261/
https://www.redteam-pentesting.de/advisories/rt-sa-2015-004

CVSS

Base:	6.8
Impact:	6.4
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:M/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

09-10-2018 - 19:56

Objavljeno

16-06-2015 - 16:59