Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stored XSS requires low-privilege config write (PR:L) and admin page view (UI:R); scope changes to browser (S:C) with limited C and I impact, no availability effect.
Primary rating from Vendor (hp).
CVSS VectorVendor: hp
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The IP phone might use malicious input stored in configuration parameters and render it as content for the WebUI’s webpage.
AnalysisAI
Stored cross-site scripting in HP IP phone WebUI allows a low-privileged authenticated attacker to inject malicious script content into configuration parameters, which the phone's web management interface later renders unsanitized to visiting users. When an administrator browses the affected WebUI page, the injected payload executes in their browser session, producing a High integrity impact within the WebUI context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have network-level access to the HP IP phone's WebUI and possess at minimum low-privileged credentials sufficient to write values to configuration parameters (confirmed by PR:L in the CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.9 (Medium) is consistent with the actual risk profile: network-reachable (AV:N), low complexity (AC:L), but gated by low-privilege authentication (PR:L), a passive second-user trigger (UI:P), and specific attack prerequisites (AT:P). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with low-privileged credentials on the HP IP phone's WebUI - such as a shared reception account - navigates to the configuration parameter interface and injects a JavaScript payload into a text field that is stored in the device configuration. When a network administrator later opens the WebUI to modify phone settings, the stored payload silently executes in the administrator's browser, potentially redirecting them, submitting unauthorized configuration changes, or harvesting session tokens. … |
| Remediation | Consult HP security advisory HPSBPY04108 at https://support.hp.com/us-en/document/ish_15255534-15255565-16/hpsbpy04108 for the vendor-released patched firmware version - the exact fix version is not independently confirmed from the available intelligence data beyond the advisory URL and must be verified there before deployment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42445
GHSA-gf54-33r5-j829