Summary
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP SiteScope. Authentication is not required to exploit this vulnerability.
The specific flaw exists because HP SiteScope allows unauthenticated SOAP calls to be made to the SiteScope service. One of those calls is getSiteScopeConfiguration() which will return the current configuration of the server including the administrator login and password information. A remote attacker could abuse this vulnerability to login to SiteScope with administrative privileges then execute arbitrary code through the underlying functionality.
References
Updated on 2015-03-25
Severity
Classification
-
CVSS Base Score: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- aflog Cookie-Based Authentication Bypass Vulnerability
- appRain CMF SQL Injection And Cross Site Scripting Vulnerabilities
- AlienVault OSSIM SQL Injection and Remote Code Execution Vulnerabilities
- Awstats Configuration File Remote Arbitrary Command Execution Vulnerability
- AjaXplorer zoho plugin Directory Traversal Vulnerability