HP Service Manager 9.30/9.31/9.32/9.33 cross-site request forgery
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
4.6 | $0-$5k | 0.00 |
A vulnerability has been found in HP Service Manager 9.30/9.31/9.32/9.33 (Project Management Software) and classified as problematic. This vulnerability affects an unknown function. The manipulation with an unknown input leads to a cross-site request forgery vulnerability. The CWE definition for the vulnerability is CWE-352. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. As an impact it is known to affect confidentiality. CVE summarizes:
Multiple cross-site request forgery (CSRF) vulnerabilities in HP Service Manager 9.30, 9.31, 9.32, and 9.33 allow remote attackers to hijack the authentication of unspecified victims for requests that (1) insert XSS sequences or (2) execute arbitrary code.
The weakness was published 02/20/2014 as c04117626 as confirmed posting (Website). The advisory is shared for download at h20566.www2.hp.com. This vulnerability was named CVE-2013-6202 since 10/21/2013. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are neither technical details nor an exploit publicly available.
Upgrading to version 9.33.0035 eliminates this vulnerability. The upgrade is hosted for download at h20566.www2.hp.com.
The vulnerability is also documented in the vulnerability database at X-Force (91374). Similar entries are available at 12456, 12457, 12458 and 12459.
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.3VulDB Meta Temp Score: 4.6
VulDB Base Score: 5.3
VulDB Temp Score: 4.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Cross-site request forgeryCWE: CWE-352 / CWE-862 / CWE-863
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Status: Unproven
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Service Manager 9.33.0035
Timeline
10/21/2013 🔍02/20/2014 🔍
02/20/2014 🔍
02/23/2014 🔍
03/05/2014 🔍
06/15/2021 🔍
Sources
Vendor: hp.comAdvisory: c04117626
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2013-6202 (🔍)
X-Force: 91374 - HP Service Manager information disclosure, Medium Risk
SecurityTracker: 1029803
SecurityFocus: 65736 - HP Service Manager CVE-2013-6202 Multiple Security Vulnerabilities
Secunia: 57065 - HP Service Manager Multiple Vulnerabilities, Highly Critical
See also: 🔍
Entry
Created: 03/05/2014 17:21Updated: 06/15/2021 08:50
Changes: 03/05/2014 17:21 (43), 03/30/2019 21:40 (21), 06/15/2021 08:50 (3)
Complete: 🔍
Committer: olku
No comments yet. Languages: en.
Please log in to comment.