SB2018021524 - Multiple vulnerabilities in HPE Matrix Operating Environment

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018021524

SB2018021524 - Multiple vulnerabilities in HPE Matrix Operating Environment

Published: February 15, 2018 Updated: August 8, 2020

Security Bulletin ID SB2018021524
Severity
High
Patch available
NO
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 27% Medium 55% Low 18%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2017-5780)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

A remote clickjacking vulnerability in HPE Matrix Operating Environment version v7.6 was found.


2) Cross-site request forgery (CVE-ID: CVE-2017-5781)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.


3) Input validation error (CVE-ID: CVE-2017-5782)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

A missing HSTS Header vulnerability in HPE Matrix Operating Environment version v7.6 was found.


4) Input validation error (CVE-ID: CVE-2017-5783)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

A remote clickjacking vulnerability in HPE Matrix Operating Environment version v7.6 was found.


5) Input validation error (CVE-ID: CVE-2017-5784)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

A missing HSTS Header vulnerability in HPE Matrix Operating Environment version v7.6 was found.


6) Information disclosure (CVE-ID: CVE-2017-5785)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

A remote information disclosure vulnerability in HPE Matrix Operating Environment version v7.6 was found.


7) Information disclosure (CVE-ID: CVE-2016-8531)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

A remote information disclosure vulnerability in HPE Matrix Operating Environment version 7.6 was found.


8) Cross-site scripting (CVE-ID: CVE-2016-8532)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in HPE Matrix Operating Environment version 7. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


9) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2016-8533)

The vulnerability allows a remote authenticated user to execute arbitrary code.

A remote priviledge escalation vulnerability in HPE Matrix Operating Environment version 7.6 was found.


10) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2016-8534)

The vulnerability allows a remote authenticated user to execute arbitrary code.

A remote privilege elevation vulnerability in HPE Matrix Operating Environment version 7.6 was found.


11) Input validation error (CVE-ID: CVE-2016-8535)

The vulnerability allows a remote authenticated user to manipulate data.

A remote HTTP parameter Pollution vulnerability in HPE Matrix Operating Environment version 7.6 was found.


Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References