exploitDog

CVE-2023-39266

Опубликовано: 29 авг. 2023

Источник: nvd

CVSS3: 8.3

CVSS3: 6.1

EPSS Низкий

Описание

A vulnerability in the ArubaOS-Switch web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface provided certain configuration options are present. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.

Ссылки

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-013.txt
Vendor Advisory
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-013.txt
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

Одно из

cpe:2.3:o:hpe:arubaos-switch:*:*:*:*:*:*:*:*

Версия до a.15.16.0026 (исключая)

cpe:2.3:o:hpe:arubaos-switch:*:*:*:*:*:*:*:*

Версия от 16.01.0000 (включая) до 16.04.0027 (исключая)

cpe:2.3:o:hpe:arubaos-switch:*:*:*:*:*:*:*:*

Версия от 16.05.0000 (включая) до 16.08.0027 (исключая)

cpe:2.3:o:hpe:arubaos-switch:*:*:*:*:*:*:*:*

Версия от 16.10.0001 (включая) до 16.10.0024 (исключая)

cpe:2.3:o:hpe:arubaos-switch:*:*:*:*:*:*:*:*

Версия от 16.11.0001 (включая) до 16.11.0013 (исключая)

Одно из

cpe:2.3:h:arubanetworks:aruba_2530:-:*:*:*:*:*:*:*

cpe:2.3:h:arubanetworks:aruba_2530ya:-:*:*:*:*:*:*:*

cpe:2.3:h:arubanetworks:aruba_2530yb:-:*:*:*:*:*:*:*

cpe:2.3:h:arubanetworks:aruba_2540:-:*:*:*:*:*:*:*

cpe:2.3:h:arubanetworks:aruba_2920:-:*:*:*:*:*:*:*

cpe:2.3:h:arubanetworks:aruba_2930f:-:*:*:*:*:*:*:*

cpe:2.3:h:arubanetworks:aruba_2930m:-:*:*:*:*:*:*:*

cpe:2.3:h:arubanetworks:aruba_3810m:-:*:*:*:*:*:*:*

cpe:2.3:h:arubanetworks:aruba_5406r_zl2:-:*:*:*:*:*:*:*

cpe:2.3:h:arubanetworks:aruba_5412r_zl2:-:*:*:*:*:*:*:*

EPSS

Процентиль: 49%

0.00257

Низкий

8.3 High

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-h6rg-gj7h-m8mx

CVSS3: 8.3

github

больше 2 лет назад

A vulnerability in the ArubaOS-Switch web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface provided certain configuration options are present. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.

EPSS

Процентиль: 49%

0.00257

Низкий

8.3 High

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79