HP Insight Diagnostics 8.20 b2878 and possibly earlier versions contains multiple vulnerabilities.
It has been reported that HP Insight Diagnostics 8.20 b2878 and possibly earlier versions contains multiple vulnerabilities that can be exploited by a remote attacker to execute arbitrary PHP code thus arbitrary commands with administrative privileges.
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') - CVE-2013-3573
By combining these vulnerabilities, an authenticated remote attacker may be able to execute arbitrary commands on the server with administrator privileges.
We are currently unaware of a practical solution to this problem.
Restrict Network Access
Thanks to Markus Wulftange from Daimler TSS for reporting this vulnerability.
This document was written by Michael Orlando.