Stored Cross-Site Scripting Vulnerability in HPE Aruba Networking Fabric Composer
CVE-2025-23055

5.5MEDIUM

Key Information:

Vendor: HP (HP)
Status: HP Aruba Networking Fabric Composer (afc)
Vendor: CVE Published:; 28 January 2025

Summary

A vulnerability exists in the web management interface of HPE Aruba Networking Fabric Composer that enables an authenticated remote attacker to execute stored cross-site scripting (XSS) attacks. By exploiting this issue, a threat actor can execute arbitrary JavaScript code in the web browsers of users who access the compromised interface, potentially leading to unauthorized actions being performed on behalf of the victim.

Affected Version(s)

HPE Aruba Networking Fabric Composer (AFC) 7.0.0 <= 7.1.0

References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpe...

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 28, 2025
Vulnerability Reserved
Jan 10, 2025

Credit

m0x_noob via HPE Aruba Networking's Bug Bounty Program