You are here

T-590: HP Diagnostics Input Validation Hole Permits Cross-Site Scripting Attacks

March 29, 2011 - 3:05pm

Addthis

PROBLEM:

HP Diagnostics Input Validation Hole Permits Cross-Site Scripting Attacks in ActiveSync Lets Remote Users Execute Arbitrary Code.

 

PLATFORM:
 

HP Diagnostics software: version(s) 7.5, 8.0 prior to 8.05.54.225

ABSTRACT:
 

A potential security vulnerability has been identified in HP Diagnostics. The vulnerability could be exploited remotely resulting in cross site scripting (XSS).

 

reference LINKS:
  

HP Document ID: c02770512
SecurityTracker Alert ID: 1025255
CVE-2011-0892
Security Focus Document ID: c02770512

 

 

IMPACT ASSESSMENT:

High
 

 

Discussion:

A vulnerability was reported in HP Diagnostics. A remote user can conduct cross-site scripting attacks.

 

Impact:

The HP diagnostic software does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the HP Diagnostics software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the HP Diagnostics software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

 

Solution:

HP has provided HP Diagnostics patch version 8.05.54.225 to resolve the vulnerability. This patch can be obtained by contacting the normal HP Services support channel. Note: Customers running HP Diagnostics v7.5x should upgrade to v8.05 and then apply patch version 8.05.54.225.

 

Addthis