Stored Cross-Site Scripting Vulnerability in Aruba EdgeConnect Enterprise Orchestrator
CVE-2022-43524

8.7HIGH

Key Information:

Vendor: HP
Status: Aruba Edgeconnect Enterprise Orchestration Software
Vendor: CVE Published:; 5 January 2023

Summary

A vulnerability exists in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator that enables an authenticated remote attacker to perform a stored cross-site scripting (XSS) attack. By exploiting this vulnerability, the attacker can execute arbitrary scripts in the browser of an administrative user, essentially compromising their session and potentially leading to further unauthorized actions within the system. This vulnerability affects multiple versions of Aruba EdgeConnect Enterprise Orchestrator, including both on-premises instances and various as-a-service offerings.

Affected Version(s)

Aruba EdgeConnect Enterprise Orchestration Software Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators - Orchestrator 9.2.1.40179 and below, - Orchestrator 9.1.4.40436 and below, - Orchestrator 9.0.7.40110 and below, - Orchestrator 8.10.23.40015 and below, - Any older branches of Orchestrator not specifically mentioned.

References

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022...

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 5, 2023
Vulnerability Reserved
Oct 20, 2022