Skip to main content

System Management Homepage CVE-2016-4393

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2016-10-28 security-alert@hpe.com
5.4
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 28, 2016 - 21:59 cve.org
MEDIUM 5.4

DescriptionCVE.org

HPE System Management Homepage before v7.6 allows "remote authenticated" attackers to obtain sensitive information via unspecified vectors, related to an "XSS" issue.

AnalysisAI

HPE System Management Homepage before v7.6 allows "remote authenticated" attackers to obtain sensitive information via unspecified vectors, related to an "XSS" issue. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. HPE System Management Homepage before v7.6 allows "remote authenticated" attackers to obtain sensitive information via unspecified vectors, related to an "XSS" issue. Affected products include: Hp System Management Homepage.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-3576 CRITICAL POC
9.0 Jun 14

ginkgosnmp.inc in HP System Management Homepage (SMH) allows remote authenticated users to execute arbitrary commands vi

CVE-2015-4024 MEDIUM POC
5.0 Jun 09

Algorithmic complexity vulnerability in the multipart_buffer_headers function in main/rfc1867.c in PHP before 5.4.41, 5.

CVE-2015-3145 HIGH
7.5 Apr 24

The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which

CVE-2016-5387 HIGH
8.1 Jul 19

The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from t

CVE-2016-5388 HIGH
8.1 Jul 19

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18

CVE-2016-4543 CRITICAL POC
9.8 May 22

The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6

CVE-2016-1995 CRITICAL
9.8 Mar 18

HPE System Management Homepage before 7.5.4 allows remote attackers to execute arbitrary code via unspecified vectors. R

CVE-2012-2012 CRITICAL
10.0 Jun 29

HP System Management Homepage (SMH) before 7.1.1 does not have an off autocomplete attribute for unspecified form fields

CVE-2012-2015 CRITICAL
9.0 Jun 29

Unspecified vulnerability in HP System Management Homepage (SMH) before 7.1.1 allows remote authenticated users to gain

CVE-2012-2014 CRITICAL
9.0 Jun 29

HP System Management Homepage (SMH) before 7.1.1 does not properly validate input, which allows remote authenticated use

CVE-2016-1993 HIGH
8.1 Mar 18

HPE System Management Homepage before 7.5.4 allows remote authenticated users to obtain sensitive information or modify

Share

CVE-2016-4393 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy