Alcatel-Lucent OmniAccess Stellar Access Points JavaScript Injection Vulnerability in Web Management Interface

A vulnerability allowing JavaScript injection has been identified in the web management interface of Alcatel-Lucent OmniAccess Stellar WLAN Access Points. This issue affects all models in the AP1100, AP1200, AP1300, AP1400, and AP1500 families, running AWOS versions 5.0.2GA and earlier. The vulnerability arises from inadequate validation of text fields in payloads submitted through the web interface, enabling an attacker with administrator credentials to inject malicious scripts. When other users access the affected web page, the injected script is executed in their browser sessions, potentially leading to session hijacking and denial-of-service conditions.

Impact

Exploitation of this vulnerability could allow an attacker with administrator credentials to inject malicious JavaScript into web traffic payloads. This could result in session hijacking and denial-of-service conditions.

Remediation

Users are advised to upgrade to AWOS version 5.0.2MR. For those managing OmniAccess Stellar Access Points, it is recommended to use the OmniVista management platform and disable the web interface on the access points.