Otkrivena su dva propusta u paketu HP OpenView Performance Insight, a udaljeni napadači ih mogu iskoristiti za umetanje HTML i skriptnog koda, te neovlašteni pristup sustavu.
HP Performance Insight Security Bypass and Script Insertion Vulnerabilities
Secunia Advisory SA45522
Release Date 2011-08-09
Criticality level Less criticalLess critical
Impact Security Bypass
Cross Site Scripting
Where From local network
Authentication level Available in Customer Area
Report reliability Available in Customer Area
Solution Status Vendor Patch
Systems affected Available in Customer Area
Approve distribution Available in Customer Area
Software:
HP Performance Insight 5.x
Secunia CVSS Score Available in Customer Area
CVE Reference(s) CVE-2011-2406 CVSS available in Customer Area
CVE-2011-2407 CVSS available in Customer Area
Description
Two vulnerabilities have been reported in HP Performance Insight, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to bypass certain security restrictions.
1) An unspecified error in the application can be exploited to gain unauthorized access. No further information is currently available.
2) Certain unspecified input is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.
Please see the vendor's advisory for a list of affected versions.
Solution
Apply hotfix 07. Please see the vendor's advisory for details.
Provided and/or discovered by
Reported by the vendor.
Original Advisory
HPSBMU02695 SSRT100480:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02942411
Posljednje sigurnosne preporuke