Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for OmniAccess Stellar by Alcatel-Lucent

    CVE-2025-52687 (GCVE-0-2025-52687)

    Vulnerability from nvd – Published: 2025-07-16 06:15 – Updated: 2025-07-16 14:41
    VLAI
    Title
    JavaScript Injection Vulnerability in the OmniAccess Stellar Web Management Interface
    Summary
    Successful exploitation of the vulnerability could allow an attacker with administrator credentials for the access point to inject malicious JavaScript into the payload of web traffics, potentially leading to session hijacking and denial-of-service (DoS).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
    Assigner
    CSA
    Impacted products
    Vendor Product Version
    Alcatel-Lucent OmniAccess Stellar Affected: AP1100 AWOS versions 5.0.2 GA and earlier
    Affected: AP1200 AWOS versions 5.0.2 GA and earlier
    Affected: AP1300 AWOS versions 5.0.2 GA and earlier
    Affected: AP1400 AWOS versions 5.0.2 GA and earlier
    Affected: AP1500 AWOS versions 5.0.2 GA and earlier
    Create a notification for this product.
    Date Public
    2025-07-16 06:07
    Credits
    Jay Turla Japz Divino Jerold Camacho
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-52687",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-16T14:37:22.658130Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-16T14:41:09.909Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "OmniAccess Stellar",
              "vendor": "Alcatel-Lucent",
              "versions": [
                {
                  "status": "affected",
                  "version": "AP1100 AWOS versions 5.0.2 GA and earlier"
                },
                {
                  "status": "affected",
                  "version": "AP1200 AWOS versions 5.0.2 GA and earlier"
                },
                {
                  "status": "affected",
                  "version": "AP1300 AWOS versions 5.0.2 GA and earlier"
                },
                {
                  "status": "affected",
                  "version": "AP1400 AWOS versions 5.0.2 GA and earlier"
                },
                {
                  "status": "affected",
                  "version": "AP1500 AWOS versions 5.0.2 GA and earlier"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jay Turla"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Japz Divino"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Jerold Camacho"
            }
          ],
          "datePublic": "2025-07-16T06:07:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Successful exploitation of the vulnerability could allow an attacker with administrator credentials for the access point to inject malicious JavaScript into the payload of web traffics, potentially leading to session hijacking and denial-of-service (DoS)."
                }
              ],
              "value": "Successful exploitation of the vulnerability could allow an attacker with administrator credentials for the access point to inject malicious JavaScript into the payload of web traffics, potentially leading to session hijacking and denial-of-service (DoS)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-16T06:25:33.489Z",
            "orgId": "5f57b9bf-260d-4433-bf07-b6a79e9bb7d4",
            "shortName": "CSA"
          },
          "references": [
            {
              "url": "https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-072/"
            },
            {
              "url": "https://www.al-enterprise.com/-/media/assets/internet/documents/sa-n0150-omniaccess-stellar-multiple-vulnerabilities.pdf"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Users and administrators of affected products are advised to contact their Business Partner immediately to update to the latest version.\n\n\u003cbr\u003e"
                }
              ],
              "value": "Users and administrators of affected products are advised to contact their Business Partner immediately to update to the latest version."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "JavaScript Injection Vulnerability in the OmniAccess Stellar Web Management Interface",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "5f57b9bf-260d-4433-bf07-b6a79e9bb7d4",
        "assignerShortName": "CSA",
        "cveId": "CVE-2025-52687",
        "datePublished": "2025-07-16T06:15:05.328Z",
        "dateReserved": "2025-06-19T06:04:41.986Z",
        "dateUpdated": "2025-07-16T14:41:09.909Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-52687 (GCVE-0-2025-52687)

    Vulnerability from cvelistv5 – Published: 2025-07-16 06:15 – Updated: 2025-07-16 14:41
    VLAI
    Title
    JavaScript Injection Vulnerability in the OmniAccess Stellar Web Management Interface
    Summary
    Successful exploitation of the vulnerability could allow an attacker with administrator credentials for the access point to inject malicious JavaScript into the payload of web traffics, potentially leading to session hijacking and denial-of-service (DoS).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
    Assigner
    CSA
    Impacted products
    Vendor Product Version
    Alcatel-Lucent OmniAccess Stellar Affected: AP1100 AWOS versions 5.0.2 GA and earlier
    Affected: AP1200 AWOS versions 5.0.2 GA and earlier
    Affected: AP1300 AWOS versions 5.0.2 GA and earlier
    Affected: AP1400 AWOS versions 5.0.2 GA and earlier
    Affected: AP1500 AWOS versions 5.0.2 GA and earlier
    Create a notification for this product.
    Date Public
    2025-07-16 06:07
    Credits
    Jay Turla Japz Divino Jerold Camacho
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-52687",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-16T14:37:22.658130Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-16T14:41:09.909Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "OmniAccess Stellar",
              "vendor": "Alcatel-Lucent",
              "versions": [
                {
                  "status": "affected",
                  "version": "AP1100 AWOS versions 5.0.2 GA and earlier"
                },
                {
                  "status": "affected",
                  "version": "AP1200 AWOS versions 5.0.2 GA and earlier"
                },
                {
                  "status": "affected",
                  "version": "AP1300 AWOS versions 5.0.2 GA and earlier"
                },
                {
                  "status": "affected",
                  "version": "AP1400 AWOS versions 5.0.2 GA and earlier"
                },
                {
                  "status": "affected",
                  "version": "AP1500 AWOS versions 5.0.2 GA and earlier"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jay Turla"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Japz Divino"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Jerold Camacho"
            }
          ],
          "datePublic": "2025-07-16T06:07:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Successful exploitation of the vulnerability could allow an attacker with administrator credentials for the access point to inject malicious JavaScript into the payload of web traffics, potentially leading to session hijacking and denial-of-service (DoS)."
                }
              ],
              "value": "Successful exploitation of the vulnerability could allow an attacker with administrator credentials for the access point to inject malicious JavaScript into the payload of web traffics, potentially leading to session hijacking and denial-of-service (DoS)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-16T06:25:33.489Z",
            "orgId": "5f57b9bf-260d-4433-bf07-b6a79e9bb7d4",
            "shortName": "CSA"
          },
          "references": [
            {
              "url": "https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-072/"
            },
            {
              "url": "https://www.al-enterprise.com/-/media/assets/internet/documents/sa-n0150-omniaccess-stellar-multiple-vulnerabilities.pdf"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Users and administrators of affected products are advised to contact their Business Partner immediately to update to the latest version.\n\n\u003cbr\u003e"
                }
              ],
              "value": "Users and administrators of affected products are advised to contact their Business Partner immediately to update to the latest version."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "JavaScript Injection Vulnerability in the OmniAccess Stellar Web Management Interface",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "5f57b9bf-260d-4433-bf07-b6a79e9bb7d4",
        "assignerShortName": "CSA",
        "cveId": "CVE-2025-52687",
        "datePublished": "2025-07-16T06:15:05.328Z",
        "dateReserved": "2025-06-19T06:04:41.986Z",
        "dateUpdated": "2025-07-16T14:41:09.909Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }