Summary
HP OpenView Performance Insight is prone to a security-bypass vulnerability and an HTML-injection vulnerability.
An attacker may leverage the HTML-injection issue to inject hostile HTML and script code that would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user.
The attacker may leverage the security-bypass issue to bypass certain security restrictions and perform unauthorized actions in the affected application.
Solution
Vendor updates are available. Please see the references for details.
References
- http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02942411&ac.admitted=1312903473487.876444892.199480143
- http://www.securityfocus.com/bid/49096
- https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-15-119^1211_4000_100
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2011-2406, CVE-2011-2407, CVE-2011-2410 -
CVSS Base Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N
Related Vulnerabilities
- Apache Tomcat 'sendfile' Request Attributes Information Disclosure Vulnerability
- A4Desk Event Calendar 'eventid' Parameter SQL Injection Vulnerability
- Adobe ColdFusion HTTP Response Splitting Vulnerability
- Aardvark Topsites <= 4.2.2 Remote File Inclusion Vulnerability
- AjaXplorer 'doc_file' Parameter Local File Disclosure Vulnerability