Details of VAR-201010-0098

ID

VAR-201010-0098

CVE

CVE-2010-3985

TITLE

HP Operations Orchestration CVE-2010-3985 Unknown Cross-Site Scripting Vulnerability

Trust: 1.0

sources: IVD: e53923b6-1faa-11e6-abef-000c29c66e3d // IVD: 7d7b572e-463f-11e9-82a6-000c29342cb1 // CNVD: CNVD-2010-2477

DESCRIPTION

Cross-site scripting (XSS) vulnerability in HP Operations Orchestration before 9.0, when Internet Explorer 6.0 is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. HP Operations Orchestration is an operation and maintenance manual automation platform that automates the transformation and deployment of client devices and data center infrastructure. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Versions prior to HP Operations Orchestration 9.0 are vulnerable. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. Join the beta: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: HP Operations Orchestration Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA41983 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/41983/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=41983 RELEASE DATE: 2010-10-28 DISCUSS ADVISORY: http://secunia.com/advisories/41983/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/41983/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=41983 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in HP Operations Orchestration, which can be exploited by malicious people to conduct cross-site scripting attacks. Unspecified input is not properly sanitised before being returned to the user. SOLUTION: Upgrade to version 9.0 (contact HP Support for update information). PROVIDED AND/OR DISCOVERED BY: The vendor credits Michael Schratt, WienIT. ORIGINAL ADVISORY: HPSBMA02588 SSRT100001: http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02541822 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.88

sources: NVD: CVE-2010-3985 // JVNDB: JVNDB-2010-003283 // CNVD: CNVD-2010-2477 // BID: 44331 // IVD: e53923b6-1faa-11e6-abef-000c29c66e3d // IVD: 7d7b572e-463f-11e9-82a6-000c29342cb1 // PACKETSTORM: 95190

IOT TAXONOMY

category:	['IoT', 'ICS']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.4

sources: IVD: e53923b6-1faa-11e6-abef-000c29c66e3d // IVD: 7d7b572e-463f-11e9-82a6-000c29342cb1 // CNVD: CNVD-2010-2477

AFFECTED PRODUCTS

vendor:	hp	model:	operations orchestration	scope:	eq	version:	7.2	Trust: 1.6
vendor:	hp	model:	operations orchestration	scope:	eq	version:	7.1	Trust: 1.6
vendor:	hp	model:	operations orchestration	scope:	lte	version:	7.5	Trust: 1.0
vendor:	hewlett packard	model:	hp operations orchestration	scope:	lt	version:	9.0	Trust: 0.8
vendor:	hp	model:	operations orachestration	scope:	lt	version:	v9.0	Trust: 0.6
vendor:	hp	model:	operations orchestration	scope:	eq	version:	7.5	Trust: 0.6
vendor:	operations orchestration	model:	-	scope:	eq	version:	7.1	Trust: 0.4
vendor:	operations orchestration	model:	-	scope:	eq	version:	7.2	Trust: 0.4
vendor:	operations orchestration	model:	-	scope:	eq	version:	*	Trust: 0.4

sources: IVD: e53923b6-1faa-11e6-abef-000c29c66e3d // IVD: 7d7b572e-463f-11e9-82a6-000c29342cb1 // CNVD: CNVD-2010-2477 // JVNDB: JVNDB-2010-003283 // CNNVD: CNNVD-201010-389 // NVD: CVE-2010-3985

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2010-3985
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2010-3985
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201010-389
value:	MEDIUM
Trust: 0.6
IVD:	e53923b6-1faa-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2
IVD:	7d7b572e-463f-11e9-82a6-000c29342cb1
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2010-3985
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
IVD:	e53923b6-1faa-11e6-abef-000c29c66e3d
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	7d7b572e-463f-11e9-82a6-000c29342cb1
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: e53923b6-1faa-11e6-abef-000c29c66e3d // IVD: 7d7b572e-463f-11e9-82a6-000c29342cb1 // JVNDB: JVNDB-2010-003283 // CNNVD: CNNVD-201010-389 // NVD: CVE-2010-3985

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2010-003283 // NVD: CVE-2010-3985

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201010-389

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 95190 // CNNVD: CNNVD-201010-389

CONFIGURATIONS

sources: JVNDB: JVNDB-2010-003283

PATCH

title:	HPSBMA02588 SSRT100001	url:	http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02541822	Trust: 0.8
title:	HP Operations Orchestration CVE-2010-3985 Patch for Unknown Cross-Site Scripting Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/1449	Trust: 0.6
title:	HP Operations Orchestration Fixes for multiple cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=157801	Trust: 0.6

sources: CNVD: CNVD-2010-2477 // JVNDB: JVNDB-2010-003283 // CNNVD: CNNVD-201010-389

EXTERNAL IDS

db:	NVD	id:	CVE-2010-3985	Trust: 3.7
db:	BID	id:	44331	Trust: 1.9
db:	SECUNIA	id:	41983	Trust: 1.7
db:	VUPEN	id:	ADV-2010-2760	Trust: 1.6
db:	OSVDB	id:	68906	Trust: 1.6
db:	CNVD	id:	CNVD-2010-2477	Trust: 1.0
db:	CNNVD	id:	CNNVD-201010-389	Trust: 1.0
db:	JVNDB	id:	JVNDB-2010-003283	Trust: 0.8
db:	IVD	id:	E53923B6-1FAA-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	IVD	id:	7D7B572E-463F-11E9-82A6-000C29342CB1	Trust: 0.2
db:	PACKETSTORM	id:	95190	Trust: 0.1

sources: IVD: e53923b6-1faa-11e6-abef-000c29c66e3d // IVD: 7d7b572e-463f-11e9-82a6-000c29342cb1 // CNVD: CNVD-2010-2477 // BID: 44331 // JVNDB: JVNDB-2010-003283 // PACKETSTORM: 95190 // CNNVD: CNNVD-201010-389 // NVD: CVE-2010-3985

REFERENCES

url:	http://h20000.www2.hp.com/bizsupport/techsupport/document.jsp?objectid=c02541822	Trust: 2.2
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/62727	Trust: 1.6
url:	http://www.securityfocus.com/bid/44331	Trust: 1.6
url:	http://secunia.com/advisories/41983	Trust: 1.6
url:	http://osvdb.org/68906	Trust: 1.6
url:	http://www.vupen.com/english/advisories/2010/2760	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-3985	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-3985	Trust: 0.8
url:	http://www.hp.com/	Trust: 0.3
url:	http://secunia.com/products/corporate/evm/	Trust: 0.1
url:	http://www.itrc.hp.com/service/cki/docdisplay.do?docid=emr_na-c02541822	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/advisories/41983/	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/	Trust: 0.1
url:	http://secunia.com/products/corporate/vim/	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/personal/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/advisories/41983/#comments	Trust: 0.1
url:	https://ca.secunia.com/?page=viewadvisory&vuln_id=41983	Trust: 0.1

sources: CNVD: CNVD-2010-2477 // BID: 44331 // JVNDB: JVNDB-2010-003283 // PACKETSTORM: 95190 // CNNVD: CNNVD-201010-389 // NVD: CVE-2010-3985

CREDITS

Michael Schratt

Trust: 0.9

sources: BID: 44331 // CNNVD: CNNVD-201010-389

SOURCES

db:	IVD	id:	e53923b6-1faa-11e6-abef-000c29c66e3d
db:	IVD	id:	7d7b572e-463f-11e9-82a6-000c29342cb1
db:	CNVD	id:	CNVD-2010-2477
db:	BID	id:	44331
db:	JVNDB	id:	JVNDB-2010-003283
db:	PACKETSTORM	id:	95190
db:	CNNVD	id:	CNNVD-201010-389
db:	NVD	id:	CVE-2010-3985

LAST UPDATE DATE

2025-04-11T23:07:35.908000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2010-2477	date:	2010-10-25T00:00:00
db:	BID	id:	44331	date:	2010-10-22T00:00:00
db:	JVNDB	id:	JVNDB-2010-003283	date:	2012-03-27T00:00:00
db:	CNNVD	id:	CNNVD-201010-389	date:	2021-07-27T00:00:00
db:	NVD	id:	CVE-2010-3985	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	IVD	id:	e53923b6-1faa-11e6-abef-000c29c66e3d	date:	2010-10-25T00:00:00
db:	IVD	id:	7d7b572e-463f-11e9-82a6-000c29342cb1	date:	2010-10-25T00:00:00
db:	CNVD	id:	CNVD-2010-2477	date:	2010-10-25T00:00:00
db:	BID	id:	44331	date:	2010-10-22T00:00:00
db:	JVNDB	id:	JVNDB-2010-003283	date:	2012-03-27T00:00:00
db:	PACKETSTORM	id:	95190	date:	2010-10-27T08:15:22
db:	CNNVD	id:	CNNVD-201010-389	date:	2010-10-28T00:00:00
db:	NVD	id:	CVE-2010-3985	date:	2010-10-26T19:00:03.283