Reflected Cross Site Scripting in EdgeConnect SD-WAN Orchestrator Web Management Interface
CVE-2023-37439

6.1MEDIUM

Key Information:

Vendor: HP
Status: Edgeconnect Sd-wan Orchestrator
Vendor: CVE Published:; 22 August 2023

Summary

Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect SD-WAN Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to the exposure and corruption of sensitive data controlled by the EdgeConnect SD-WAN Orchestrator host.

Affected Version(s)

EdgeConnect SD-WAN Orchestrator Orchestrator 9.3.x

EdgeConnect SD-WAN Orchestrator Orchestrator 9.2.x

References

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Aug 22, 2023
Vulnerability Reserved
Jul 5, 2023

Credit

Daniel Jensen (@dozernz)