A vulnerability classified as problematic has been found in HPE Network Node Manager i up to 10.01. Affected is an unknown code. The manipulation with an unknown input leads to a cross site scripting vulnerability. CWE is classifying the issue as CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This is going to have an impact on integrity. CVE summarizes:

Cross-site scripting (XSS) vulnerability in HPE Network Node Manager i (NNMi) 9.20, 9.23, 9.24, 9.25, 10.00, and 10.01 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2010.

The weakness was presented 05/07/2016 (Website). The advisory is shared for download at h20564.www2.hpe.com. This vulnerability is traded as CVE-2016-2011 since 01/22/2016. The exploitability is told to be easy. It is possible to launch the attack remotely. A authentication is needed for exploitation. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1059.007.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

See VDB-83806, VDB-83807, VDB-83809 and VDB-83810 for similar entries. VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Vendor

• HPE

Name

• Network Node Manager i

Version

• 9.20
• 9.23
• 9.24
• 9.25
• 10.00
• 10.01

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion