Alcatel-Lucent 1830 Photonic Service Switch PSS-32/16/4 up to 6.0 pop.html myurl cross site scripting ⚔ [Disputed]
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.1 | $0-$5k | 0.00 |
Summary
A vulnerability classified as problematic has been found in Alcatel-Lucent 1830 Photonic Service Switch PSS-32, 16 and 4 up to 6.0. The affected element is an unknown function of the file pop.html. This manipulation of the argument myurl with the input );<script>alert('xss')</script> causes cross site scripting.
This vulnerability is registered as CVE-2014-3809. Remote exploitation of the attack is possible. Furthermore, an exploit is available.
The real existence of this vulnerability is still doubted at the moment.
It is advisable to implement restrictive firewalling.
Details
A vulnerability has been found in Alcatel-Lucent 1830 Photonic Service Switch PSS-32, 16 and 4 up to 6.0 and classified as problematic. Affected by this vulnerability is some unknown processing of the file pop.html. The manipulation of the argument myurl with the input value );<script>alert('xss')</script> leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-80. The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. As an impact it is known to affect integrity.
The bug was discovered 05/21/2014. The weakness was published 12/01/2014 by Stephan Rickauer with Swisscom as not defined posting (Bugtraq). The advisory is shared at archives.neohapsis.com. The posting contains:
Vendor assess XSS not to be an issue: "The vulnerability is assessed at no risk. We will evaluate if/when we will add the best practice of validating all inputs in WebUI tasks, but this is not considered high priority for the roadmap."This vulnerability is known as CVE-2014-3809 since 05/21/2014. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. Technical details and also a public exploit are known. MITRE ATT&CK project uses the attack technique T1059.007 for this issue. The advisory points out:
The management interface of the 1830 Photonic Switch series is vulnerable to reflected cross-site scripting, since user input is not properly encoded on output. Exploiting this vulnerability will lead to so-called cross-site scripting (XSS) and allows the impersonation of logged-in admin users. Additionally, the myurl-Parameter accepts non-local web addresses, which can be abused to redirect victims to arbitrary web sites.
A public exploit has been developed by Stephan Rickauer in URL/Javascript and been published immediately after the advisory. It is possible to download the exploit at archives.neohapsis.com. It is declared as highly functional. The vulnerability was handled as a non-public zero-day exploit for at least 194 days. During that time the estimated underground price was around $0-$5k. The real existence of this vulnerability is still doubted at the moment. By approaching the search of inurl:pop.html it is possible to find vulnerable targets with Google Hacking.
Proper firewalling of is able to address this issue.
The vulnerability is also documented in the databases at X-Force (99057) and SecurityFocus (BID 71401†). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Vendor
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.2VulDB Meta Temp Score: 5.1
VulDB Base Score: 4.3
VulDB Temp Score: 4.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 6.1
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Cross site scriptingCWE: CWE-80 / CWE-74 / CWE-707
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Highly functional
Author: Stephan Rickauer
Programming Language: 🔍
Download: 🔍
Google Hack: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: FirewallStatus: 🔍
0-Day Time: 🔍
Exploit Delay Time: 🔍
Timeline
05/21/2014 🔍05/21/2014 🔍
06/13/2014 🔍
12/01/2014 🔍
12/01/2014 🔍
12/01/2014 🔍
12/03/2014 🔍
02/27/2022 🔍
Sources
Advisory: archives.neohapsis.comResearcher: Stephan Rickauer
Organization: Swisscom
Status: Not defined
Disputed: 🔍
CVE: CVE-2014-3809 (🔍)
GCVE (CVE): GCVE-0-2014-3809
GCVE (VulDB): GCVE-100-68305
X-Force: 99057 - Alcatel Lucent 1830 Photonic Service Switch PSS-32/16/4 pop.html cross-site scripting, Medium Risk
SecurityFocus: 71401
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 12/03/2014 10:14Updated: 02/27/2022 11:32
Changes: 12/03/2014 10:14 (55), 07/06/2017 08:17 (8), 02/27/2022 11:24 (2), 02/27/2022 11:32 (18)
Complete: 🔍
Cache ID: 216:678:103
No comments yet. Languages: en.
Please log in to comment.