HP Client Security Manager 8.3.4 Cross Site Scripting

`HP Client Security Manager 8.3.4 Cross-Site Scripting Vulnerability  
  
  
Vendor: HP Inc.  
Product web page: http://www.hp.com  
Affected version: 8.3.4.1811  
  
Summary: HP Client Security Manager provides enhanced Windows login  
and website single-sign-on capabilities. Security Manager is also the  
host for HP Client Security plugins and should be installed before  
other Client Security modules. This package is provided for supported  
notebook models running a supported operating system.  
  
Desc: HP Client Security Manager is prone to XSS attacks because of  
lacking sanitization of data from HTML forms. It makes any site  
vulnerable even without XSS presence on the site.  
  
Tested on: Microsoft Windows 7 Professional SP1 (EN)  
Microsoft Windows 7 Ultimate SP1 (EN)  
  
  
Vulnerability discovered by Ewerson Guimaraes (Crash)  
  
  
Advisory ID: ZSL-2016-5299  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5299.php  
  
  
09.10.2015  
  
  
Reproduction:  
  
When you make a login process in any site that the HP Client Security  
Manager intercepts and render the username mixed with the site.  
  
To trigger this vuln, just use some payload like <img  
src="lala.gif"onerror="alert(document.cookie)"> in the username HTML  
form.  
For this reason any site can be exploited even without XSS presence  
directly in the site.  
`