Summary
This host is running HP Power Manager and is prone to cross site request forgery and cross site scripting vulnerability.
Impact
Successful exploitation could allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts and to execute arbitrary HTML and script code in a user's browser session in context of an affected site
Impact Level: Application.
Solution
No solution or patch was made available for at least one year since disclosure of this vulnerability. Likely none will be provided anymore.
General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.
A workaround is to follow instruction from the below link, http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02711131
Insight
- The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests.
- Input passed to the 'logType' parameter in 'Contents/exportlogs.asp', 'Id' parameter in 'Contents/pagehelp.asp', 'SORTORD' parameter in 'Contents/applicationlogs.asp' and 'SORTCOL' parameter in 'Contents/applicationlogs.asp' is not properly sanitised before being
Affected
HP Power Manager version 4.3.2 and pror.
References
Severity
Classification
-
CVE CVE-2011-0277, CVE-2011-0280 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Adobe Flash Player Multiple Security Bypass Vulnerabilities - 01 Feb14 (Mac OS X)
- Asterisk CIDR Notation in Access Rule Remote Security Bypass Vulnerability
- Apple Safari 'SRC' Remote Denial Of Service Vulnerability
- Apache /server-info accessible
- Adobe Reader Cross-Site Scripting & Denial of Service Vulnerabilities (Mac OS X)