Vigil@nce: HP ProCurve Switch, Cross Site Scripting
November 2009 by Vigil@nce
An attacker, who is allowed to connect to the administration
interface of a HP ProCurve Switch can generate a Cross Site
Scripting.
– Severity: 2/4
– Consequences: user access/rights
– Provenance: document
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: unique source (2/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 12/11/2009
IMPACTED PRODUCTS
– HP ProCurve Switch
DESCRIPTION OF THE VULNERABILITY
Allowed administrators can connect to the web interface of a HP
ProCurve Switch.
An attacker, who is allowed to change the configuration of the
switch, can inject JavaScript code in several fields of the web
interface:
– Security - SSL - Organization Name
– Security - SSL - Organization Unit
– Security - SSL - Certificate
When another administrator displays the configuration of the
switch, the JavaScript code then runs in his web browser.
An attacker, who is allowed to connect to the administration
interface of a HP ProCurve Switch can therefore generate a Cross
Site Scripting.
CHARACTERISTICS
– Identifiers: BID-37001, VIGILANCE-VUL-9189
– Url: http://vigilance.fr/vulnerability/HP-ProCurve-Switch-Cross-Site-Scripting-9189