The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of SiteScope

vulnerability bulletin CVE-2012-3259 CVE-2012-3260 CVE-2012-3261

HP SiteScope: six vulnerabilities

Synthesis of the vulnerability

An unauthenticated attacker can use several vulnerabilities of HP SiteScope, in order to execute privileged code.
Impacted products: SiteScope.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 6.
Creation date: 29/08/2012.
Identifiers: BID-55269, BID-55273, c03489683, CERTA-2012-AVI-517, CVE-2012-3259, CVE-2012-3260, CVE-2012-3261, CVE-2012-3262, CVE-2012-3263, CVE-2012-3264, HPSBMU02815, SSRT100715, SSRT100717, SSRT100718, SSRT100719, SSRT100720, VIGILANCE-VUL-11903, ZDI-12-173, ZDI-12-174, ZDI-12-175, ZDI-12-176, ZDI-12-177, ZDI-12-178, ZDI-CAN-1461, ZDI-CAN-1463, ZDI-CAN-1464, ZDI-CAN-1465, ZDI-CAN-1472.

Description of the vulnerability

Six vulnerabilities were announced in HP SiteScope.

An unauthenticated attacker can call the SOAP getSiteScopeConfiguration() function, in order to obtain the administrator password. [severity:3/4; ZDI-12-173]

An unauthenticated attacker can use the UploadFilesHandler url, in order to upload a script on the server. [severity:3/4; BID-55273, ZDI-12-174]

An unauthenticated attacker can call the SOAP create() function, in order to create a new user. [severity:3/4; ZDI-12-175]

An unauthenticated attacker can call the SOAP getFileInternal() function, in order to read the configuration, which contains passwords. [severity:3/4; ZDI-12-176]

An unauthenticated attacker can call the SOAP loadFileContent() function, in order to read configuration files, which contain passwords. [severity:3/4; ZDI-12-177]

An unauthenticated attacker can call the SOAP update() function, in order to change the administrator's password. [severity:3/4; ZDI-12-178]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 10957

HP SiteScope: two vulnerabilities

Synthesis of the vulnerability

An attacker can use two vulnerabilities of HP SiteScope, in order to read a file or to create a user.
Impacted products: SiteScope.
Severity: 3/4.
Consequences: privileged access/rights, data reading.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 29/08/2011.
Identifiers: BID-49345, VIGILANCE-VUL-10957.

Description of the vulnerability

A user cannot do administrative actions, because they are greyed in the HP SiteScope interface. However a direct query to the servlet can access them. This leads to two vulnerabilities.

An attacker can login on the integrationViewer account, and use a com.mercury.sitescope.ui.common.bean.tools.LogAnalysisToolBean object, in order to read a file. [severity:2/4]

An attacker can login on the integrationViewer account, and use a UserInstancePreferences object, in order to create a user. [severity:3/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2011-2400 CVE-2011-2401

HP SiteScope: two vulnerabilities

Synthesis of the vulnerability

An attacker can use two vulnerabilities of HP SiteScope, in order to create a Cross Site Scripting, or to access to a session.
Impacted products: SiteScope.
Severity: 3/4.
Consequences: user access/rights, client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 28/07/2011.
Identifiers: BID-48913, BID-48916, c02940969, CERTA-2011-AVI-427, CVE-2011-2400, CVE-2011-2401, HPSBMU02692, SSRT100581, VIGILANCE-VUL-10877.

Description of the vulnerability

Two vulnerabilities were announced in HP SiteScope.

An attacker can create a Cross Site Scripting, in order to execute JavaScript code in user's web browser. [severity:2/4; BID-48913, CERTA-2011-AVI-427, CVE-2011-2400]

An attacker can force the value of the session variable, in order to access to a user's session. [severity:3/4; BID-48916, CVE-2011-2401]

An attacker can therefore use two vulnerabilities of HP SiteScope, in order to create a Cross Site Scripting, or to access to a session.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2011-1726 CVE-2011-1727

HP SiteScope: Cross Site Scripting

Synthesis of the vulnerability

An attacker can generate a Cross Site Scripting or inject HTML code in HP SiteScope.
Impacted products: SiteScope.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 22/04/2011.
Identifiers: BID-47554, c02807712, CERTA-2011-AVI-257, CVE-2011-1726, CVE-2011-1727, HPSBMA02667, SSRT100464, VIGILANCE-VUL-10597.

Description of the vulnerability

Two vulnerabilities were announced in HP SiteScope.

An attacker can create a Cross Site Scripting. [severity:2/4; CERTA-2011-AVI-257, CVE-2011-1726]

An attacker can inject HTML code. [severity:1/4; CVE-2011-1727]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about SiteScope: