The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Hewlett-Packard Performance Center

security bulletin CVE-2017-14359

HPE Performance Center: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of HPE Performance Center, in order to run JavaScript code in the context of the web site.
Severity: 2/4.
Creation date: 06/11/2017.
Identifiers: CVE-2017-14359, KM02996754, MFSBGN03788, VIGILANCE-VUL-24327.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The HPE Performance Center product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of HPE Performance Center, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

cybersecurity vulnerability CVE-2017-11357

Telerik UI for ASP.NET AJAX: file upload via Direct Object Reference

Synthesis of the vulnerability

An attacker can upload a malicious file via RadAsyncUpload on Telerik UI for ASP.NET AJAX, in order for example to upload a Trojan.
Severity: 3/4.
Creation date: 24/08/2017.
Identifiers: CVE-2017-11357, VIGILANCE-VUL-23607.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Telerik UI for ASP.NET AJAX product offers a web service.

It can be used to upload a file. However, this file can be uploaded in an arbitrary directory on the server, and then executed.

An attacker can therefore upload a malicious file via Direct Object Reference on Telerik UI for ASP.NET AJAX, in order for example to upload a Trojan.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2017-8953

HPE LoadRunner, Performance Center: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of HPE LoadRunner or HPE Performance Center, in order to run JavaScript code in the context of the web site.
Severity: 2/4.
Creation date: 12/07/2017.
Identifiers: CVE-2017-8953, HPESBGN03764, hpesbgn03764en_us, VIGILANCE-VUL-23214.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The HPE LoadRunner or HPE Performance Center product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of HPE LoadRunner or HPE Performance Center, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer weakness bulletin CVE-2017-5789

HPE LoadRunner, Performance Center: code execution

Synthesis of the vulnerability

An attacker can use a vulnerability of HPE LoadRunner and Performance Center, in order to run code.
Severity: 3/4.
Creation date: 09/03/2017.
Identifiers: CVE-2017-5789, HPESBGN03712, VIGILANCE-VUL-22049, ZDI-17-160.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can use a vulnerability of HPE LoadRunner and Performance Center, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2016-8512

HP LoadRunner, Performance Center: buffer overflow via MMS

Synthesis of the vulnerability

An attacker can generate a buffer overflow via an MMS packet sent to an HP LoadRunner or Performance Center device, in order to trigger a denial of service, and possibly to run code.
Severity: 3/4.
Creation date: 16/12/2016.
Identifiers: c05354136, CVE-2016-8512, HPSBGN03679, VIGILANCE-VUL-21404.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The products HP LoadRunner and HP Performance Center may use a protocol named MMS.

However, when handling such packets, if the size of data is greater than the size of the storage array, an overflow occurs.

An attacker can therefore generate a buffer overflow via an MMS packet sent to an HP LoadRunner or Performance Center device, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

security weakness CVE-2016-4384

HPE LoadRunner, Performance Center: denial of service

Synthesis of the vulnerability

An attacker can generate a fatal error of HPE LoadRunner or Performance Center, in order to trigger a denial of service.
Severity: 2/4.
Creation date: 21/09/2016.
Identifiers: c05278882, CVE-2016-4384, HPSBGN03648, VIGILANCE-VUL-20660.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can generate a fatal error of HPE LoadRunner or Performance Center, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

threat announce CVE-2016-2183 CVE-2016-6329

Blowfish, Triple-DES: algorithms too weak, SWEET32

Synthesis of the vulnerability

An attacker can create a TLS/VPN session with a Blowfish/Triple-DES algorithm, and perform a two days attack, in order to decrypt data.
Severity: 1/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 25/08/2016.
Identifiers: 1610582, 1991866, 1991867, 1991870, 1991871, 1991875, 1991876, 1991878, 1991880, 1991882, 1991884, 1991885, 1991886, 1991887, 1991889, 1991892, 1991894, 1991896, 1991902, 1991903, 1991951, 1991955, 1991959, 1991960, 1991961, 1992681, 1993777, 1994375, 1995099, 1995922, 1998797, 1999054, 1999421, 2000209, 2000212, 2000370, 2000544, 2001608, 2002021, 2002335, 2002336, 2002479, 2002537, 2002870, 2002897, 2002991, 2003145, 2003480, 2003620, 2003673, 2004036, 2008828, 523628, 9010102, bulletinapr2017, c05349499, c05369403, c05369415, c05390849, CERTFR-2017-AVI-012, CERTFR-2019-AVI-049, CERTFR-2019-AVI-311, cisco-sa-20160927-openssl, cpuapr2017, cpujan2018, cpujul2017, cpujul2019, cpuoct2017, CVE-2016-2183, CVE-2016-6329, DSA-2018-124, DSA-2019-131, DSA-3673-1, DSA-3673-2, FEDORA-2016-7810e24465, FEDORA-2016-dc2cb4ad6b, FG-IR-16-047, FG-IR-16-048, FG-IR-17-127, FG-IR-17-173, HPESBGN03697, HPESBGN03765, HPESBUX03725, HPSBGN03690, HPSBGN03694, HPSBHF03674, ibm10718843, java_jan2017_advisory, JSA10770, KM03060544, NTAP-20160915-0001, openSUSE-SU-2016:2199-1, openSUSE-SU-2016:2391-1, openSUSE-SU-2016:2407-1, openSUSE-SU-2016:2496-1, openSUSE-SU-2016:2537-1, openSUSE-SU-2017:1638-1, openSUSE-SU-2018:0458-1, RHSA-2017:0336-01, RHSA-2017:0337-01, RHSA-2017:0338-01, RHSA-2017:3113-01, RHSA-2017:3114-01, RHSA-2017:3239-01, RHSA-2017:3240-01, RHSA-2018:2123-01, SA133, SA40312, SB10171, SB10186, SB10197, SB10215, SOL13167034, SP-CAAAPUE, SPL-129207, SSA:2016-266-01, SSA:2016-363-01, SSA-556833, SUSE-SU-2016:2387-1, SUSE-SU-2016:2394-1, SUSE-SU-2016:2458-1, SUSE-SU-2016:2468-1, SUSE-SU-2016:2469-1, SUSE-SU-2016:2470-1, SUSE-SU-2016:2470-2, SUSE-SU-2017:1444-1, SUSE-SU-2017:2838-1, SUSE-SU-2017:3177-1, SWEET32, TNS-2016-16, USN-3087-1, USN-3087-2, USN-3270-1, USN-3339-1, USN-3339-2, USN-3372-1, VIGILANCE-VUL-20473.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Blowfish and Triple-DES symetric encryption algorithms use 64 bit blocks.

However, if they are used in CBC mode, a collision occurs after 785 GB transferred, and it is then possible to decrypt blocks with an attack lasting two days.

An attacker can therefore create a TLS/VPN session with a Blowfish/Triple-DES algorithm, and perform a two days attack, in order to decrypt data.
Full Vigil@nce bulletin... (Free trial)

cybersecurity bulletin CVE-2016-4359 CVE-2016-4360 CVE-2016-4361

HPE LoadRunner, Performance Center: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of HPE LoadRunner, Performance Center.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 01/06/2016.
Identifiers: c05157423, CVE-2016-4359, CVE-2016-4360, CVE-2016-4361, HPSBGN03609, VIGILANCE-VUL-19752, ZDI-16-363, ZDI-16-364.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in HPE LoadRunner, Performance Center.

An attacker can use a vulnerability via Shared Memory Name Construction, in order to run code. [severity:3/4; CVE-2016-4359, ZDI-16-363]

An attacker can trigger a fatal error via import_csv, in order to trigger a denial of service. [severity:2/4; CVE-2016-4360, ZDI-16-364]

An attacker can trigger a fatal error, in order to trigger a denial of service. [severity:2/4; CVE-2016-4361]
Full Vigil@nce bulletin... (Free trial)

security announce CVE-2015-6857

HP Loadrunner/Performance Virtual Table Server: code execution via import_database

Synthesis of the vulnerability

An unauthenticated attacker can access to HP Loadrunner Virtual Table Server or HP Performance Center Virtual Table Server, in order to run privileged code.
Severity: 3/4.
Creation date: 25/11/2015.
Revisions dates: 03/12/2015, 04/12/2015.
Identifiers: c04900820, c04907374, CVE-2015-6857, HPSBGN03523, HPSBGN03525, VIGILANCE-VUL-18377, ZDI-15-581.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The HP Loadrunner Virtual Table Server and HP Performance Center Virtual Table Server products listen on port 4000.

However, by using the /data/import_database resource to inject SQL commands, an attacker can alter the base, and then execute code with NETWORK SERVICE privileges.

An unauthenticated attacker can therefore access to HP Loadrunner Virtual Table Server or HP Performance Center Virtual Table Server, in order to run privileged code.
Full Vigil@nce bulletin... (Free trial)

security vulnerability CVE-2015-2121

HP Network Virtualization for LoadRunner and Performance Center: information disclosure

Synthesis of the vulnerability

A remote attacker can use HP Network Virtualization for LoadRunner and Performance Center, in order to obtain sensitive information.
Severity: 2/4.
Creation date: 11/05/2015.
Identifiers: c04657310, CVE-2015-2121, HPSBGN03328, VIGILANCE-VUL-16854, ZDI-15-192.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A remote attacker can use HP Network Virtualization for LoadRunner and Performance Center, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Hewlett-Packard Performance Center: