HP Application Lifecycle Management (ALM) is a software product designed to manage the application lifecycle from requirements through readiness for delivery from a single repository, providing a consistent user experience and customizable dashboard.
XGO.ocx ActiveX control in HP Application Lifecycle Management exposes an insecure method, SetShapeNodeType, which is vulnerable to a type confusion error allowing user-specified memory to be used as an object. A remote attacker who persuades a user to visit a specially crafted web page could execute arbitrary code in the context of the process.
Upgrade when HP provides one. In the interim, access to the HP Application Lifecycle Management service should be restricted to trusted machines.
This exploit has been tested against HP Lifecycle Management ActiveX 11.50.777.0 on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn).
The user must open the exploit page in Internet Explorer 8 or 9.