Lucene search

HpeCVE-2018-7064

HistoryMay 10, 2019 - 6:29 p.m.

CVE-2018-7064

2019-05-1018:29:03

CWE-79

hpe

web.nvd.nist.gov

cve-2018-7064

aruba instant

xss

vulnerability

unauthenticated

administrative actions

session cookie

aruba instant 4.2.4.12

aruba instant 6.5.4.11

aruba instant 8.3.0.6

aruba instant 8.4.0.0

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

43.8%

JSON

A reflected cross-site scripting (XSS) vulnerability is present in an unauthenticated Aruba Instant web interface. An attacker could use this vulnerability to trick an IAP administrator into clicking a link which could then take administrative actions on the Instant cluster, or expose the session cookie for an administrative session. Workaround: Administrators should make sure they log out of the Aruba Instant UI when not actively managing the system, and should use caution clicking links from external sources while logged into the IAP administrative interface. Resolution: Fixed in Aruba Instant 4.2.4.12, 6.5.4.11, 8.3.0.6, and 8.4.0.0

Affected configurations

Nvd

Node

arubanetworksaruba_instantRange4.0–4.2.4.12

arubanetworksaruba_instantRange6.5.0–6.5.4.11

arubanetworksaruba_instantRange8.3.0–8.3.0.6

arubanetworksaruba_instantRange8.4.0–8.4.0.1

Node

siemensscalance_w1750d_firmwareRange<8.4.0.1

AND

siemensscalance_w1750dMatch-

VendorProductVersionCPE
arubanetworksaruba_instant*cpe:2.3:a:arubanetworks:aruba_instant:*:*:*:*:*:*:*:*
siemensscalance_w1750d_firmware*cpe:2.3:o:siemens:scalance_w1750d_firmware:*:*:*:*:*:*:*:*
siemensscalance_w1750d-cpe:2.3:h:siemens:scalance_w1750d:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
arubanetworks	aruba_instant	*	cpe:2.3:a:arubanetworks:aruba_instant::::::::
siemens	scalance_w1750d_firmware	*	cpe:2.3:o:siemens:scalance_w1750d_firmware::::::::
siemens	scalance_w1750d	-	cpe:2.3:h:siemens:scalance_w1750d:-:::::::*

CNA Affected

[
  {
    "product": "Aruba Instant (IAP)",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Aruba Instant 4.x prior to 6.4.4.8 - 4.2.4.12 Aruba Instant 6.5.x prior to 6.5.4.11 Aruba Instant 8.3.x prior to 8.3.0.6 Aruba Instant 8.4.x prior to 8.4.0.1"
      }
    ]
  }
]

References

www.securityfocus.com/bid/108374

cert-portal.siemens.com/productcert/pdf/ssa-549547.pdf

www.arubanetworks.com/assets/alert/ARUBA-PSA-2019-001.txt

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

43.8%

JSON

Related for CVE-2018-7064