Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

XSS Vulnerability Found in Alcatel-Lucent Carrier-Grade Switches

A reflected cross-site scripting (XSS) vulnerability has been identified in the management interface of the Alcatel-Lucent 1830 Photonic Service Switch, but the vendor doesn’t plan on fixing it any time soon.

A reflected cross-site scripting (XSS) vulnerability has been identified in the management interface of the Alcatel-Lucent 1830 Photonic Service Switch, but the vendor doesn’t plan on fixing it any time soon.

The 1830 Photonic Service Switch is part of the French global telecommunications equipment company’s offering for cable multiple-system operator (MSO) networks. 

 The flaw, which affects version 6.0 and earlier of the product, was discovered in May by the Computer Security Incident Response Team (CSIRT) of the Switzerland-based telecoms company Swisscom. The vulnerability has been assigned the CVE identifier CVE-2014-3809.

Alcatel-Lucent 1830 Photonic Service Switch “The management interface of the 1830 Photonic Switch series is vulnerable to reflected cross-site scripting, since user input is not properly encoded on output. Exploiting this vulnerability will lead to so-called cross-site  scripting (XSS) and allows the impersonation of logged-in admin users. Additionally, the myurl-Parameter accepts non-local web addresses, which can be abused to redirect victims to arbitrary web sites,” Swisscom’s Stephan Rickauer explained in an advisory.

Alcatel-Lucent was informed of the security hole’s existence on June 13. The company’s security team confirmed the existence of the issue three days later.

After Swisscom researchers made several inquiries regarding a patch for the vulnerability, Alcatel-Lucent informed them today that it doesn’t consider this to be a high-priority issue. As a result, details and the attack vector have been disclosed by Swisscom.

“The vulnerability is assessed at no risk. We will evaluate if/when we will add the best practice of validating all inputs in WebUI tasks, but this is not considered high priority for the roadmap,” Alcatel-Lucent stated.

While this vulnerability might not be considered critical, Alcatel-Lucent is one of the many tech giants that have had to deal with the recently uncovered GNU Bash vulnerability known as ShellShock. In late September, shortly after the existence of the vulnerability came to light, the company informed customers that Bash is used in several products.

“We are currently investigating the impact on our portfolio and already taking actions to ensure the vulnerability has no further impact on products in our portfolio,” reads a message currently published on the page dedicated to the company’s Portfolio Security Issue Response Team (PSIRT).

Advertisement. Scroll to continue reading.

Alcatel-Lucent advises researchers who identify vulnerabilities in the company’s products to complete a standard document available on the PSIRT page and send it via email to [email protected].

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.