HP Insight Diagnostics 8.20 b2878 and possibly earlier versions contains multiple vulnerabilities.
It has been reported that HP Insight Diagnostics 8.20 b2878 and possibly earlier versions contains multiple vulnerabilities that can be exploited by a remote attacker to execute arbitrary PHP code thus arbitrary commands with administrative privileges.
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') - CVE-2013-3573
By combining these vulnerabilities, an authenticated remote attacker may be able to execute arbitrary commands on the server with administrator privileges.
We are currently unaware of a practical solution to this problem.
Restrict Network Access
Hewlett-Packard Company Affected
Notified: April 05, 2013 Updated: June 06, 2013
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Thanks to Markus Wulftange from Daimler TSS for reporting this vulnerability.
This document was written by Michael Orlando.
|CVE IDs:||CVE-2013-3573, CVE-2013-3574, CVE-2013-3575|
|Date First Published:||2013-06-10|
|Date Last Updated:||2014-07-30 06:35 UTC|