Skip to main content

Edgeconnect Sd Wan Orchestrator CVE-2023-37439

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2023-08-22 security-alert@hpe.com
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Aug 22, 2023 - 19:16 nvd
MEDIUM 6.1

DescriptionNVD

Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect SD-WAN Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to the exposure and corruption of sensitive data controlled by the EdgeConnect SD-WAN Orchestrator host.

AnalysisAI

Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect SD-WAN Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to the exposure and corruption of sensitive data controlled by the EdgeConnect SD-WAN Orchestrator host. Affected products include: Arubanetworks Edgeconnect Sd-Wan Orchestrator.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2025-37184 CRITICAL
9.8 Jan 14

An Orchestrator service allows unauthenticated attackers to bypass MFA and create admin accounts without multi-factor au

CVE-2024-41914 CRITICAL
9.0 Jul 24

A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated re

CVE-2024-41136 HIGH
8.8 Jul 24

An authenticated command injection vulnerability exists in the HPE Aruba Networking EdgeConnect SD-WAN gateways Command

CVE-2024-22443 HIGH
8.8 Jul 24

A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated re

CVE-2023-37434 HIGH
8.1 Aug 22

Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authent

CVE-2023-37433 HIGH
8.1 Aug 22

Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authent

CVE-2023-37432 HIGH
8.1 Aug 22

Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authent

CVE-2023-37431 HIGH
8.1 Aug 22

Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authent

CVE-2023-37430 HIGH
8.1 Aug 22

Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authent

CVE-2023-37429 HIGH
8.1 Aug 22

Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authent

CVE-2023-37424 HIGH
8.1 Aug 22

A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an unauthenticated

CVE-2023-37426 HIGH
7.5 Aug 22

EdgeConnect SD-WAN Orchestrator instances prior to the versions resolved in this advisory were found to have shared stat

Share

CVE-2023-37439 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy