Overview
HP's Arcsight Connector appliance v6.2.0.6244.0 and Arcsight Logger appliance v5.2.0.6288.0 (and possibly other versions) contain a file import facility which is vulnerable to cross-site scripting (XSS).
Description
The supplied facility for importing host data from a file (System Admin Tab | Network | Hosts | Import from Local File) to the HP Arcsight Connector or HP Arcsight Logger appliances fail to sanitize input for cross-site scripting attacks. An attacker with write access to the file that will be imported can add javascript code into the file. This code will be run in the security context of the appliance administrative web GUI when the file is imported. |
Impact
A remote attacker may, by luring a user into importing a malicious host file, be able to disclose sensitive information, steal user cookies, or escalate privileges. |
Solution
Update The vendor's HPSBMU02836 SSRT101056 security advisory states: HP has provided HP ArcSight Connector Appliance v6.4 and HP ArcSight Logger v5.3 to resolve these issues. Please contact HP support to receive updates. |
Do not import host file from untrusted sources |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 1.7 | AV:L/AC:L/Au:S/C:N/I:P/A:N |
| Temporal | 1.3 | E:U/RL:U/RC:UC |
| Environmental | 0.5 | CDP:L/TD:L/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Michael Rutkowski of Duer Advanced Technology and Aerospace, Inc (DATA) for reporting this vulnerability.
This document was written by Michael Orlando.
Other Information
| CVE IDs: | CVE-2012-2960 |
| Date Public: | 2012-08-06 |
| Date First Published: | 2012-08-06 |
| Date Last Updated: | 2013-02-15 13:28 UTC |
| Document Revision: | 14 |