| VID |
23194 |
| Severity |
20 |
| Port |
2301,2381 |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The HP SMH server, according to its banner, has a cross-site scripting vulnerability. HP System Management Homepage (SMH) server is a web-based interface that can manage HP servers running the Microsoft Windows or Linux operating systems. HP System Management Homepage versions prior to 2.1.2 are vulnerable to a cross-site scripting attack, caused by an unspecified input validation error when processing user-supplied data. This vulnerability could allow a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials or other attacks.
* Note: This check solely relied on the banner of the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://www.securityfocus.com/advisories/12545
http://www.kb.cert.org/vuls/id/292457
http://www.frsirt.com/english/advisories/2007/2013
http://securitytracker.com/alerts/2007/May/1018179.html
http://secunia.com/advisories/25493
* Platforms Affected:
HP System Management Homepage versions prior to 2.1.2
Linux Any version
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of HP System Management Homepage (2.1.2 or later), as listed in the HPSBMA02216 SSRT071310 at http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01056592 |
| Related URL |
CVE-2007-3062 (CVE) |
| Related URL |
24256 (SecurityFocus) |
| Related URL |
34656 (ISS) |
|
