Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

XSS Vulnerability Found in Alcatel-Lucent Carrier-Grade Switches

A reflected cross-site scripting (XSS) vulnerability has been identified in the management interface of the Alcatel-Lucent 1830 Photonic Service Switch, but the vendor doesn’t plan on fixing it any time soon.

A reflected cross-site scripting (XSS) vulnerability has been identified in the management interface of the Alcatel-Lucent 1830 Photonic Service Switch, but the vendor doesn’t plan on fixing it any time soon.

The 1830 Photonic Service Switch is part of the French global telecommunications equipment company’s offering for cable multiple-system operator (MSO) networks. 

 The flaw, which affects version 6.0 and earlier of the product, was discovered in May by the Computer Security Incident Response Team (CSIRT) of the Switzerland-based telecoms company Swisscom. The vulnerability has been assigned the CVE identifier CVE-2014-3809.

Alcatel-Lucent 1830 Photonic Service Switch “The management interface of the 1830 Photonic Switch series is vulnerable to reflected cross-site scripting, since user input is not properly encoded on output. Exploiting this vulnerability will lead to so-called cross-site  scripting (XSS) and allows the impersonation of logged-in admin users. Additionally, the myurl-Parameter accepts non-local web addresses, which can be abused to redirect victims to arbitrary web sites,” Swisscom’s Stephan Rickauer explained in an advisory.

Alcatel-Lucent was informed of the security hole’s existence on June 13. The company’s security team confirmed the existence of the issue three days later.

After Swisscom researchers made several inquiries regarding a patch for the vulnerability, Alcatel-Lucent informed them today that it doesn’t consider this to be a high-priority issue. As a result, details and the attack vector have been disclosed by Swisscom.

“The vulnerability is assessed at no risk. We will evaluate if/when we will add the best practice of validating all inputs in WebUI tasks, but this is not considered high priority for the roadmap,” Alcatel-Lucent stated.

While this vulnerability might not be considered critical, Alcatel-Lucent is one of the many tech giants that have had to deal with the recently uncovered GNU Bash vulnerability known as ShellShock. In late September, shortly after the existence of the vulnerability came to light, the company informed customers that Bash is used in several products.

“We are currently investigating the impact on our portfolio and already taking actions to ensure the vulnerability has no further impact on products in our portfolio,” reads a message currently published on the page dedicated to the company’s Portfolio Security Issue Response Team (PSIRT).

Alcatel-Lucent advises researchers who identify vulnerabilities in the company’s products to complete a standard document available on the PSIRT page and send it via email to [email protected]

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.