HP BAC and BSM Products Cross Site Scripting Vulnerability


Description   A vulnerability has been identified in HP Business Availability Center (BAC) and Business Service Management (BSM), which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser. This issue is caused by an unspecified input validation error which could allow attackers to gain knowledge of sensitive information via cross site scripting attacks.
     
Vulnerable Products   Vulnerable Software:
HP Business Availability Center (BAC) version 7.55 and prior (Windows and Solaris)HP Business Availability Center (BAC) version 8.05 and prior (Windows and Solaris)HP Business Service Management (BSM) version 9.01 and prior (Windows)
     
Solution   Apply patches : http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02678501
     
CVE   CVE-2011-0274
     
References   http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02678501
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - GET : suspicious 'iframe' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious tag with event found in URL
3.2.0
XSS - Prevention - GET : suspicious 'applet' tag found in URL
3.2.0
XSS - Phishing : suspicious 'div' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' attribute found in URL
3.2.0
XSS - Phishing : suspicious 'a' tag found in URL
3.2.0
XSS - Prevention - GET : cookie access attempt using script language found in URL
3.2.0
XSS - Prevention - GET : suspicious 'embed' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'object' tag found in URL
3.2.0
XSS - Phishing : suspicious 'form' tag found in URL
3.2.0
XSS - Prevention - GET : javascript code found in URL
3.2.0
XSS - Prevention - GET : evasion attempt using tag characters encoding in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' tag found in URL
3.2.0
XSS - Phishing : suspicious 'link' tag found in URL
3.2.0
XSS - Prevention - GET : 'script' tag found in URL
3.2.0
XSS - Prevention - GET : 'location' javascript object found in URL
3.2.0
XSS - Prevention - GET : suspicious 'div' tag found in URL
3.2.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2011-01-21 

 Target Type 
Server 

 Possible exploit 
Local & Remote