Pri radu operacijskog sustava HP webOS uočena su i ispravljena dva sigurnosna propusta koja omogućuju udaljenom napadaču umetanje proizvoljnog HTML i skriptnog koda.

HP WebOS Calendar and Contacts Applications Cross-Site Scripting and Script Insertion
Secunia Advisory 	SA45543 	
Release Date 	2011-08-10

Criticality level 	Moderately criticalModerately critical
Impact 	Cross Site Scripting
Where 	From remote
Authentication level 	Available in Customer Area
  	 
Report reliability 	Available in Customer Area
Solution Status 	Vendor Patch
  	 
Systems affected 	Available in Customer Area
Approve distribution 	Available in Customer Area
  	 
Operating System	
	HP webOS 3.x

Secunia CVSS Score 	Available in Customer Area
CVE Reference(s) 	CVE-2011-2408 CVSS available in Customer Area
CVE-2011-2409 CVSS available in Customer Area
	   	

Description

Two vulnerabilities have been reported in HP WebOS, which can be exploited by malicious people to conduct cross-site scripting and script insertion vulnerabilities.

1) Certain unspecified input related to the contacts application is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in context of an affected device.

2) Certain unspecified input related to the calender application is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in context of an affected device when the malicious data is being viewed.

The vulnerabilities are reported in version 3.0.0.

Solution
Update to version 3.0.2.

Provided and/or discovered by
1) Reported by the vendor.
2) The vendor credits hankei6km.

Original Advisory
HPSBGN02694 SSRT100586:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02937744

HPSBGN02696 SSRT100590:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02945437