Input validation error in HP SiteScope
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2013-2367 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
HP SiteScope Server applications / Other server solutions |
| Vendor | Hewlett Packard Enterprise Development LP |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Input validation error
EUVDB-ID: #VU42681
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2013-2367
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Multiple unspecified vulnerabilities in HP SiteScope 11.20 and 11.21, when SOAP is used, allow remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1678.
MitigationInstall update from vendor's website.
Vulnerable software versionsHP SiteScope: 11.20 - 11.21
CPE2.3- cpe:2.3:a:hewlett_packard_enterprise_development_lp:sitescope:11.20:*:*:*:*:*:*:*
- cpe:2.3:a:hewlett_packard_enterprise_development_lp:sitescope:11.21:*:*:*:*:*:*:*
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03861260
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
