Lucene search

[email protected]CVE-2024-26300

HistoryFeb 27, 2024 - 11:15 p.m.

CVE-2024-26300

2024-02-2723:15:07

[email protected]

web.nvd.nist.gov

cve-2024-26300

clearpass policy manager

vulnerability

stored xss

cross-site scripting

nvd

6.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

5.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

A vulnerability in the guest interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface.

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "Aruba ClearPass Policy Manager",
    "vendor": "Hewlett Packard Enterprise (HPE)",
    "versions": [
      {
        "status": "affected",
        "version": "ClearPass Policy Manager 6.12.x: 6.12.0"
      },
      {
        "status": "affected",
        "version": "ClearPass Policy Manager 6.11.x: 6.11.6 and below"
      },
      {
        "status": "affected",
        "version": "ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below"
      },
      {
        "status": "affected",
        "version": "ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below"
      }
    ]
  }
]

References

www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt