Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

HP Client Security Manager 8.3.4 Cross-Site Scripting Vulnerability

🗓️ 28 Jan 2016 00:00:00Reported by Ewerson GuimaraesType 
zeroscience
 zeroscience🔗 www.zeroscience.mk👁 38 Views

HP Client Security Manager 8.3.4 Cross-Site Scripting Vulnerability in HTML forms, impact on supported Windows OS and vendor statu

Code
<html><body><p>HP Client Security Manager 8.3.4 Cross-Site Scripting Vulnerability


Vendor: HP Inc.
Product web page: http://www.hp.com
Affected version: 8.3.4.1811

Summary: HP Client Security Manager provides enhanced Windows
login and website single-sign-on capabilities. Security Manager
is also the host for HP Client Security plugins and should be
installed before other Client Security modules. This package is
provided for supported notebook models running a supported operating
system.

Desc: HP Client Security Manager is prone to XSS attacks because
of lacking sanitization of data from HTML forms. It makes any site
vulnerable even without XSS presence on the site.

Tested on: Microsoft Windows 7 Professional SP1 (EN)
           Microsoft Windows 7 Ultimate SP1 (EN)


Vulnerability discovered by Ewerson Guimaraes (Crash)


Advisory ID: ZSL-2016-5299
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5299.php


09.10.2015


--


Reproduction:

 When you make a login process in any site that the HP Client Security Manager intercepts
 and render the username mixed with the site.
 To trigger this vuln, just use some payload like <img onerror="alert(document.cookie)" src="lala.gif"/>
 in the username HTML form.
 For this reason any site can be exploited even without XSS presence directly in the site.
</p></body></html>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Jan 2016 00:00Current
5.8Medium risk
Vulners AI Score5.8
cross-site scriptinghtml formswindows osvendorvulnerability
38