A vulnerability classified as problematic was found in HP JetAdvantage Security Manager up to 3.0.0. This vulnerability affects an unknown code block. The manipulation with an unknown input leads to a cross site scripting vulnerability (Stored). The CWE definition for the vulnerability is CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. As an impact it is known to affect integrity. CVE summarizes:

Potential security vulnerabilities have been identified with HP JetAdvantage Security Manager before 3.0.1. The vulnerabilities could potentially be exploited to allow stored cross-site scripting which could allow a hacker to create a denial of service.

The bug was discovered 08/16/2017. The weakness was presented 01/23/2018 (Website). The advisory is shared for download at support.hp.com. This vulnerability was named CVE-2017-2746 since 12/01/2016. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1059.007.

The vulnerability was handled as a non-public zero-day exploit for at least 160 days. During that time the estimated underground price was around $5k-$25k.

Upgrading to version 3.0.1 eliminates this vulnerability.

See 112347 for similar entry.

Productinfo

Vendor

• HP

Name

• JetAdvantage Security Manager

Version

• 3.0

License

• commercial

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion