Unauthenticated Stored Cross-Site Scripting in ArubaOS-Switch
CVE-2023-39266

8.3HIGH

Key Information:

Vendor
HP
Status
Arubaos-switch
Vendor
CVE Published:
29 August 2023

Badges

👾 Exploit Exists📰 News Worthy

Summary

A vulnerability exists in the web management interface of ArubaOS-Switch that may permit an unauthenticated remote attacker to carry out stored cross-site scripting (XSS) attacks. Such attacks could occur if certain configuration options are enabled. If successfully executed, malicious scripts could be run in the browser of users interacting with the affected interface, potentially compromising sensitive information or enabling further attacks.

Affected Version(s)

ArubaOS-Switch ArubaOS-Switch 16.11.xxxx: KB/WC/YA/YB/YC.16.11.0012 and below.

ArubaOS-Switch ArubaOS-Switch 16.11.xxxx: KB/WC/YA/YB/YC.16.11.0012 and below.

ArubaOS-Switch ArubaOS-Switch 16.10.xxxx: KB/WC/YA/YB/YC.16.10.0025 and below.

News Articles

favicon imageGBHackers News

Multiple Flaws in ArubaOS Switches Let Attackers Execute Remote Code

Multiple vulnerabilities have been identified in ArubaOS-Switch Switches, specifically pertaining to Stored Cross-site Scripting (Stored XSS), Denial of Service (DoS), and Memory corruption. Aruba has taken measures to mitigate these vulnerabilities and has subsequently published a security advisory...

5 months ago

References

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023...

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by GBHackers News

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ken Pyle - Partner and Exploit Developer, CYBIR and Graduate Professor of Cybersecurity at Chestnut Hill College
.