Release date:
Updated on:
Affected Systems:
HP Insight Management Agents 8.9
HP Insight Management Agents 8.6
HP Insight Management Agents 8.5
Unaffected system:
HP Insight Management Agents 9.0
Description:
--------------------------------------------------------------------------------
Bugtraq id: 53341
Cve id: CVE-2012-2003, CVE-2012-2004, CVE-2012-2005, CVE-2012-2006
HP Performance Insight software is used to collect, collect, and centralize Performance data.
HP Insight Management Agents has multiple vulnerabilities in implementation, which can be exploited by malicious users to manipulate certain data, resulting in DOS, execution spoofing, cross-site scripting, and cross-site request forgery attacks.
1) applications allow users to perform certain operations through HTTP requests without verifying these requests.
2) some inputs are returned to the user if they are not verified.
3) You can use unknown details to modify or delete some data.
<* Source: HP
Link: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp? ObjectID = c03301267
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
HP
--
HP has released a Security Bulletin (HPSBMU02770) for this purpose and the corresponding patch:
HPSBMU02770: SSRT100848 rev.1-HP Insight Management Agents for Windows Server, Remote Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS), URL Redirection, Unauthorized Modification, denial of Service (DoS)
Link: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp? ObjectID = c03301267