The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of SiteScope

computer vulnerability announce 10957

HP SiteScope: two vulnerabilities

Synthesis of the vulnerability

An attacker can use two vulnerabilities of HP SiteScope, in order to read a file or to create a user.
Impacted products: SiteScope.
Severity: 3/4.
Consequences: privileged access/rights, data reading.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 29/08/2011.
Identifiers: BID-49345, VIGILANCE-VUL-10957.

Description of the vulnerability

A user cannot do administrative actions, because they are greyed in the HP SiteScope interface. However a direct query to the servlet can access them. This leads to two vulnerabilities.

An attacker can login on the integrationViewer account, and use a com.mercury.sitescope.ui.common.bean.tools.LogAnalysisToolBean object, in order to read a file. [severity:2/4]

An attacker can login on the integrationViewer account, and use a UserInstancePreferences object, in order to create a user. [severity:3/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2011-2400 CVE-2011-2401

HP SiteScope: two vulnerabilities

Synthesis of the vulnerability

An attacker can use two vulnerabilities of HP SiteScope, in order to create a Cross Site Scripting, or to access to a session.
Impacted products: SiteScope.
Severity: 3/4.
Consequences: user access/rights, client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 28/07/2011.
Identifiers: BID-48913, BID-48916, c02940969, CERTA-2011-AVI-427, CVE-2011-2400, CVE-2011-2401, HPSBMU02692, SSRT100581, VIGILANCE-VUL-10877.

Description of the vulnerability

Two vulnerabilities were announced in HP SiteScope.

An attacker can create a Cross Site Scripting, in order to execute JavaScript code in user's web browser. [severity:2/4; BID-48913, CERTA-2011-AVI-427, CVE-2011-2400]

An attacker can force the value of the session variable, in order to access to a user's session. [severity:3/4; BID-48916, CVE-2011-2401]

An attacker can therefore use two vulnerabilities of HP SiteScope, in order to create a Cross Site Scripting, or to access to a session.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2011-1726 CVE-2011-1727

HP SiteScope: Cross Site Scripting

Synthesis of the vulnerability

An attacker can generate a Cross Site Scripting or inject HTML code in HP SiteScope.
Impacted products: SiteScope.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 22/04/2011.
Identifiers: BID-47554, c02807712, CERTA-2011-AVI-257, CVE-2011-1726, CVE-2011-1727, HPSBMA02667, SSRT100464, VIGILANCE-VUL-10597.

Description of the vulnerability

Two vulnerabilities were announced in HP SiteScope.

An attacker can create a Cross Site Scripting. [severity:2/4; CERTA-2011-AVI-257, CVE-2011-1726]

An attacker can inject HTML code. [severity:1/4; CVE-2011-1727]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about SiteScope: