Stored Cross-Site Scripting (XSS) Vulnerability in EdgeConnect SD-WAN Orchestrator
CVE-2024-41914

9CRITICAL

Key Information:

Vendor: HP
Status: HP Aruba Networking Edgeconnect Sd-wan Orchestrator
Vendor: CVE Published:; 24 July 2024

Summary

A vulnerability exists in the web-based management interface of HPE's EdgeConnect SD-WAN Orchestrator, which can be exploited by an authenticated remote attacker to initiate a stored cross-site scripting (XSS) attack. This flaw allows the execution of arbitrary script code in the browser of an administrative user interacting with the affected interface. The dynamic nature of the web-based interface may allow the attacker to store malicious scripts, which are then executed whenever an administrator accesses the compromised section. Proper security measures and updates are necessary to mitigate this potential risk.

Affected Version(s)

HPE Aruba Networking EdgeConnect SD-WAN Orchestrator EdgeConnect SD-WAN Orchestrator 9.4.x: Orchestrator 9.4.1 (all builds) and below

HPE Aruba Networking EdgeConnect SD-WAN Orchestrator EdgeConnect SD-WAN Orchestrator 9.3.x: Orchestrator 9.3.2 (all builds) and below

HPE Aruba Networking EdgeConnect SD-WAN Orchestrator EdgeConnect SD-WAN Orchestrator 9.2.x: Orchestrator 9.2.9 (all builds) and below

References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpe...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 24, 2024
Vulnerability Reserved
Jul 23, 2024

Credit

Daniel Jensen (@dozernz)