CVE-2015-8687

MEDIUM

Alcatel-lucent Motive Home Device Manager < 4.1.10.5 - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Management Console in Alcatel-Lucent Motive Home Device Manager (HDM) before 4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) deviceTypeID parameter to DeviceType/getDeviceType.do; the (2) policyActionClass or (3) policyActionName parameter to PolicyAction/findPolicyActions.do; the deviceID parameter to (4) SingleDeviceMgmt/getDevice.do or (5) device/editDevice.do; the operation parameter to (6) ajax.do or (7) xmlHttp.do; or the (8) policyAction, (9) policyClass, or (10) policyName parameter to policy/findPolicies.do.

References (1)

[Third Party Advisory, VDB Entry] http://seclists.org/fulldisclosure/2016/Jan/0

Scores

CVSS v3 5.4

EPSS 0.0013

EPSS Percentile 32.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (2)

alcatel-lucent/motive_home_device_manager < 4.1.10.5

n/a/n/a

Timeline

Published Mar 23, 2017

Tracked Since Feb 18, 2026