- S21Sec Advisory -
Title: Alcatel Omnivista 4760 Cross-Site Scripting ID: S21SEC-038-en
Severity: Medium - History: 10.Jun.2007 Vulnerability discovered 20.Jun.2007 Vendor contacted 19.Oct.2007 Advisory released Authors: Juan de la Fuente Costa (email@example.com) Pablo Seijo Cajaraville (firstname.lastname@example.org) URL: http://www.s21sec.com/avisos/s21sec-038-en.txt Release: Public
[ SUMMARY ]
Alcatel-Lucent OmniVista 4760 is an innovative, modular platform that
provides a suite of network management applications. This powerful Java-based tool, accessed through a Web browser,
provides centralized management for the OmniPCX Enterprise.
The platform's open architecture enables today's IT managers and
administrators to effectively monitor and maintain the network, while lowering the company's total cost of ownership. This
suite of network management applications includes:
* LDAP Directory * Configuration * Accounting/Performance Management * Alarm Notification * Network Topology
[ AFFECTED VERSIONS ]
This vulnerability has been tested in Alcatel Omnivista 4760.
[ DESCRIPTION ]
S21sec has discovered a vulnerability in Alcatel Omnivista 4760 that
The identified parameters are: "action" and "Langue"
URL: http://www.somesite.com/php-bin/Webclient.php? action=<script>alert("xss")</script>
[ WORKAROUND ]
Alcatel-Lucent has released a patch to address this vulnerability.
More info at: http://www1.alcatel-lucent.com/psirt/statements/2007003/4760xss.htm
[ ACKNOWLEDGMENTS ]
This vulnerability has been discovered and researched by:
With special thanks to:
[ REFERENCES ]