Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-39266

Summary
Assigner-hpe
Assigner Org ID-eb103674-0d28-4225-80f8-39fb86215de0
Published At-29 Aug, 2023 | 19:20
Updated At-27 Sep, 2024 | 21:56
Rejected At-
Credits

Unauthenticated Stored Cross-Site Scripting in ArubaOS-Switch

A vulnerability in the ArubaOS-Switch web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface provided certain configuration options are present. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:hpe
Assigner Org ID:eb103674-0d28-4225-80f8-39fb86215de0
Published At:29 Aug, 2023 | 19:20
Updated At:27 Sep, 2024 | 21:56
Rejected At:
▼CVE Numbering Authority (CNA)
Unauthenticated Stored Cross-Site Scripting in ArubaOS-Switch

A vulnerability in the ArubaOS-Switch web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface provided certain configuration options are present. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.

Affected Products
Vendor
Hewlett Packard Enterprise (HPE)Hewlett Packard Enterprise
Product
ArubaOS-Switch
Default Status
affected
Versions
Affected
  • ArubaOS-Switch 16.11.xxxx: KB/WC/YA/YB/YC.16.11.0012 and below.
  • ArubaOS-Switch 16.10.xxxx: KB/WC/YA/YB/YC.16.10.0025 and below.
  • ArubaOS-Switch 16.10.xxxx: WB.16.10.23 and below.
  • ArubaOS-Switch 16.09.xxxx: All versions.
  • ArubaOS-Switch 16.08.xxxx: KB/WB/WC/YA/YB/YC.16.08.0026 and below.
  • ArubaOS-Switch 16.07.xxxx: All versions.
  • ArubaOS-Switch 16.06.xxxx: All versions.
  • ArubaOS-Switch 16.05.xxxx: All versions.
  • ArubaOS-Switch 16.04.xxxx: KA/RA.16.04.0026 and below.
  • ArubaOS-Switch 16.03.xxxx: All versions.
  • ArubaOS-Switch 16.02.xxxx: All versions.
  • ArubaOS-Switch 16.01.xxxx: All versions.
  • ArubaOS-Switch 15.xx.xxxx: 15.16.0025 and below.
Metrics
VersionBase scoreBase severityVector
3.18.3HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 8.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
reporter
Ken Pyle - Partner and Exploit Developer, CYBIR and Graduate Professor of Cybersecurity at Chestnut Hill College
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-013.txt
N/A
Hyperlink: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-013.txt
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-013.txt
x_transferred
Hyperlink: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-013.txt
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-alert@hpe.com
Published At:29 Aug, 2023 | 20:15
Updated At:11 Sep, 2023 | 13:38

A vulnerability in the ArubaOS-Switch web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface provided certain configuration options are present. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Secondary3.18.3HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 8.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CPE Matches
Aruba Networks
arubanetworks
>>aruba_2530>>-
cpe:2.3:h:arubanetworks:aruba_2530:-:*:*:*:*:*:*:*
Aruba Networks
arubanetworks
>>aruba_2530ya>>-
cpe:2.3:h:arubanetworks:aruba_2530ya:-:*:*:*:*:*:*:*
Aruba Networks
arubanetworks
>>aruba_2530yb>>-
cpe:2.3:h:arubanetworks:aruba_2530yb:-:*:*:*:*:*:*:*
Aruba Networks
arubanetworks
>>aruba_2540>>-
cpe:2.3:h:arubanetworks:aruba_2540:-:*:*:*:*:*:*:*
Aruba Networks
arubanetworks
>>aruba_2920>>-
cpe:2.3:h:arubanetworks:aruba_2920:-:*:*:*:*:*:*:*
Aruba Networks
arubanetworks
>>aruba_2930f>>-
cpe:2.3:h:arubanetworks:aruba_2930f:-:*:*:*:*:*:*:*
Aruba Networks
arubanetworks
>>aruba_2930m>>-
cpe:2.3:h:arubanetworks:aruba_2930m:-:*:*:*:*:*:*:*
Aruba Networks
arubanetworks
>>aruba_3810m>>-
cpe:2.3:h:arubanetworks:aruba_3810m:-:*:*:*:*:*:*:*
Aruba Networks
arubanetworks
>>aruba_5406r_zl2>>-
cpe:2.3:h:arubanetworks:aruba_5406r_zl2:-:*:*:*:*:*:*:*
Aruba Networks
arubanetworks
>>aruba_5412r_zl2>>-
cpe:2.3:h:arubanetworks:aruba_5412r_zl2:-:*:*:*:*:*:*:*
Hewlett Packard Enterprise (HPE)
hpe
>>arubaos-switch>>Versions before a.15.16.0026(exclusive)
cpe:2.3:o:hpe:arubaos-switch:*:*:*:*:*:*:*:*
Hewlett Packard Enterprise (HPE)
hpe
>>arubaos-switch>>Versions from 16.01.0000(inclusive) to 16.04.0027(exclusive)
cpe:2.3:o:hpe:arubaos-switch:*:*:*:*:*:*:*:*
Hewlett Packard Enterprise (HPE)
hpe
>>arubaos-switch>>Versions from 16.05.0000(inclusive) to 16.08.0027(exclusive)
cpe:2.3:o:hpe:arubaos-switch:*:*:*:*:*:*:*:*
Hewlett Packard Enterprise (HPE)
hpe
>>arubaos-switch>>Versions from 16.10.0001(inclusive) to 16.10.0024(exclusive)
cpe:2.3:o:hpe:arubaos-switch:*:*:*:*:*:*:*:*
Hewlett Packard Enterprise (HPE)
hpe
>>arubaos-switch>>Versions from 16.11.0001(inclusive) to 16.11.0013(exclusive)
cpe:2.3:o:hpe:arubaos-switch:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarynvd@nist.gov
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-013.txtsecurity-alert@hpe.com
Vendor Advisory
Hyperlink: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-013.txt
Source: security-alert@hpe.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

9062Records found
CVE-2021-26587
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-6.5||MEDIUM
EPSS-0.51% / 65.22%
||
7 Day CHG~0.00%
Published-27 Sep, 2021 | 14:01
Updated-03 Aug, 2024 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A potential DOM-based Cross Site Scripting security vulnerability has been identified in HPE StoreOnce. The vulnerability could be remotely exploited to cause an elevation of privilege leading to partial impact to confidentiality, availability, and integrity. HPE has made the following software update - HPE StoreOnce 4.3.0, to resolve the vulnerability in HPE StoreOnce.

Action-Not Available
Vendor-n/aHewlett Packard Enterprise (HPE)
Product-storeonce_5200storeonce_5250_firmwarestoreonce_vsa_4tbstoreonce_5650_firmwarestoreonce_5250storeonce_5650storeonce_3640_firmwarestoreonce_3620_firmwarestoreonce_vsa_4tb_firmwarestoreonce_3620storeonce_3640storeonce_5200_firmwareHPE StoreOnce 3620; HPE StoreOnce 3640; HPE StoreOnce 5200; HPE StoreOnce 5250; HPE StoreOnce 5650; HPE StoreOnce VSA 4TB
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-28083
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-8.3||HIGH
EPSS-0.17% / 38.44%
||
7 Day CHG~0.00%
Published-20 Mar, 2023 | 12:34
Updated-26 Feb, 2025 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential Cross-Site scripting vulnerability in HPE Integrated Lights-Out 6 (iLO 6), Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 4 (iLO 4).

A remote Cross-site Scripting vulnerability was discovered in HPE Integrated Lights-Out 6 (iLO 6), Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 4 (iLO 4). HPE has provided software updates to resolve this vulnerability in HPE Integrated Lights-Out.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)HP Inc.
Product-proliant_ml350e_gen8_serverproliant_dl560_gen10_serverproliant_ml350p_gen8_serverapollo_r2600_gen10proliant_ml350_gen10_serverproliant_dl325_gen11_serverstoreeasy_1540_storageproliant_dl360p_gen8_serverproliant_dl80_gen9_serverproliant_ml310e_gen8_v2_serverapollo_6500_gen10_systemapollo_4200_gen10_serverproliant_dl385p_gen8_\(amd\)proliant_xl270d_gen9_special_serverproliant_xl290n_gen10_plus_serversynergy_620_gen9_compute_modulestoreeasy_1550_storagestoreeasy_1650_storageproliant_dl380p_gen8_serverproliant_dl20_gen10_serverstoreeasy_1860_performance_storagestorage_file_controllerproliant_dl360_gen10_plus_serverproliant_bl465c_gen8_server_bladeproliant_bl460c_gen9_server_bladeproliant_xl250a_gen9_serverproliant_dl325_gen10_plus_serverproliant_bl660c_gen9_serverproliant_dl385_gen10_plus_serverproliant_dl365_gen11_serverintegrated_lights-out_4proliant_dx190r_gen10_serverproliant_xl225n_gen10_plus_1u_nodeproliant_ml310e_gen8_serverstoreeasy_3850_gateway_storageproliant_xl230b_gen9_serverstoreeasy_3840_gateway_storage_bladeproliant_dx325_gen10_plus_v2_serverproliant_dl60_gen9_serverproliant_ml110_gen10_serverproliant_dl580_gen8_serverproliant_dx385_gen10_plus_v2_serverproliant_ml350_gen11_serverstoreeasy_3850_gateway_storage_bladestoreeasy_1460_storageapollo_n2600_gen10_plusproliant_xl230a_gen9_serverintegrated_lights-out_6storeeasy_3840_gateway_storagestoreeasy_1630_storagesynergy_660_gen10_compute_moduleedgeline_e920d_server_bladeproliant_dl320e_gen8_serverproliant_dl345_gen11_serverproliant_dx385_gen10_plus_serverproliant_sl250s_gen8_serverproliant_dx4200_gen10_serverproliant_dl380_gen11_serverproliant_xl170r_gen9_serverstoreeasy_1450_storageproliant_microserver_gen8proliant_xl730f_gen9_serverstoreeasy_1430_storageproliant_ml350_gen9_serverstoreeasy_1830_storageproliant_xl220n_gen10_plus_serverapollo_4200_gen10_plus_systemproliant_dl365_gen10_plus_serverstoreeasy_1860_storageproliant_xl270d_gen10_serverproliant_dl385_gen10_plus_v2_serverproliant_dl380_gen9_serverstorevirtual_3000_file_controllerproliant_xl450_gen9_serversynergy_480_gen9_compute_moduleapollo_6500_gen10_plus_systemstoreeasy_1530_storageproliant_bl420c_gen8_serverproliant_dl385_gen11_serverapollo_r2800_gen10edgeline_e920t_server_bladeproliant_dl180_gen10_serverproliant_ws460c_gen8_graphics_server_bladeproliant_bl460c_gen8_server_bladestoreeasy_1850_storageproliant_dl580_gen10_serverproliant_xl220a_gen8_v2_serverstoreeasy_3830_gateway_storageproliant_ml30_gen10_plus_serverstoreeasy_1660_performance_storagestoreeasy_1440_storageproliant_dl180_gen9_serverproliant_xl170r_gen10_serverstoreeasy_1660_expanded_storageproliant_dl580_gen9_serverproliant_dx360_gen10_serverproliant_xl190r_gen9_serverproliant_dl560_gen9_serverproliant_dl360_gen11_serverproliant_xl740f_gen9_serverproliant_dl360_gen9_serverproliant_dx220n_gen10_plus_serverproliant_dx360_gen10_plus_serverproliant_sl270s_gen8_serverproliant_dl320_gen11_serverproliant_ml30_gen9_serverproliant_dl345_gen10_plus_serverproliant_dl560_gen8_serverproliant_dx380_gen10_serverproliant_e910t_server_bladeproliant_e910_server_bladeproliant_dl360_gen10_serverapollo_r2200_gen10synergy_680_gen9_compute_moduleproliant_xl450_gen10_serverproliant_xl645d_gen10_plus_serverstorage_performance_file_controllerproliant_dl20_gen10_plus_serverproliant_xl230k_gen10_serverapollo_n2800_gen10_plusproliant_dl325_gen10_serversynergy_660_gen9_compute_moduleproliant_dl320e_gen8_v2_serversynergy_480_gen10_plus_compute_moduleproliant_xl675d_gen10_plus_serverproliant_dl160_gen9_serverproliant_dl20_gen9_serverstoreeasy_1640_storageproliant_sl230s_gen8_serverproliant_dl380_gen10_serverproliant_sl270s_gen8_se_serverstoreeasy_1840_storageproliant_xl190r_gen10_serverproliant_dl120_gen9_serverstoreeasy_1650_expanded_storageintegrated_lights-out_5proliant_dx380_gen10_plus_serverproliant_dl360e_gen8_serverapollo_4510_gen10_systemstoreeasy_3850_gateway_single_node_upgradeproliant_xl750f_gen9_serverproliant_dl160_gen8_serverproliant_dl380e_gen8_serverproliant_dl385_gen10_serverproliant_ws460c_gen9_graphics_server_bladeproliant_bl460c_gen10_server_bladeproliant_dx170r_gen10_serverproliant_dx560_gen10_serversynergy_480_gen10_compute_moduleedgeline_e920_server_bladeproliant_ml110_gen9_serverproliant_dl120_gen10_serverstoreeasy_1660_storageapollo_4200_gen9_serverproliant_bl660c_gen8_server_bladeproliant_ml350e_gen8_v2_serverproliant_dl160_gen10_serverapollo_r2000_chassisproliant_dl380_gen10_plus_serverstoreeasy_1560_storageproliant_sl210t_gen8_serverstoreeasy_3830_gateway_storage_bladeIntegrated Lights-Out
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-26300
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-6.6||MEDIUM
EPSS-0.04% / 11.38%
||
7 Day CHG~0.00%
Published-27 Feb, 2024 | 22:06
Updated-27 Mar, 2025 | 15:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the guest interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)Aruba Networks
Product-clearpass_policy_managerAruba ClearPass Policy Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-7110
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-4.8||MEDIUM
EPSS-0.33% / 55.01%
||
7 Day CHG~0.00%
Published-16 Apr, 2020 | 16:14
Updated-04 Aug, 2024 | 09:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ClearPass is vulnerable to Stored Cross Site Scripting by allowing a malicious administrator, or a compromised administrator account, to save malicious scripts within ClearPass that could be executed resulting in a privilege escalation attack. Resolution: Fixed in 6.7.13, 6.8.4, 6.9.0 and higher.

Action-Not Available
Vendor-n/aAruba Networks
Product-clearpassClearPass Policy Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-26299
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-6.6||MEDIUM
EPSS-0.04% / 11.38%
||
7 Day CHG~0.00%
Published-27 Feb, 2024 | 22:05
Updated-27 Mar, 2025 | 15:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)Aruba Networks
Product-clearpass_policy_managerAruba ClearPass Policy Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-11999
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-6.9||MEDIUM
EPSS-0.26% / 49.13%
||
7 Day CHG~0.00%
Published-16 Apr, 2020 | 18:48
Updated-04 Aug, 2024 | 23:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Potential security vulnerabilities have been identified in HPE OpenCall Media Platform (OCMP) resulting in remote arbitrary file download and cross site scripting. HPE has made the following updates available to resolve the vulnerability in the impacted versions of OCMP. * For OCMP version 4.4.X - please upgrade to OCMP 4.4.8 and then install RP806 * For OCMP 4.5.x please contact HPE Technical Support to obtain the necessary software updates.

Action-Not Available
Vendor-n/aHewlett Packard Enterprise (HPE)
Product-opencall_media_platformHPE OC Media Platform (OCMP)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-4400
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-5.4||MEDIUM
EPSS-0.31% / 53.47%
||
7 Day CHG-0.05%
Published-06 Aug, 2018 | 20:00
Updated-06 Aug, 2024 | 00:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A security vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10. The vulnerability could result in cross-site scripting (XSS).

Action-Not Available
Vendor-HP Inc.Hewlett Packard Enterprise (HPE)
Product-network_node_manager_iHP Network Node Manager (NNMi)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-4399
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-5.4||MEDIUM
EPSS-0.27% / 50.34%
||
7 Day CHG-0.04%
Published-06 Aug, 2018 | 20:00
Updated-06 Aug, 2024 | 00:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A security vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10. The vulnerability could result in cross-site scripting (XSS).

Action-Not Available
Vendor-HP Inc.Hewlett Packard Enterprise (HPE)
Product-network_node_manager_iHP Network Node Manager (NNMi)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-4406
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-6.1||MEDIUM
EPSS-0.53% / 66.45%
||
7 Day CHG-0.08%
Published-06 Aug, 2018 | 20:00
Updated-06 Aug, 2024 | 00:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote cross site scripting vulnerability was identified in HPE iLO 3 all version prior to v1.88 and HPE iLO 4 all versions prior to v2.44.

Action-Not Available
Vendor-HP Inc.Hewlett Packard Enterprise (HPE)
Product-integrated_lights-out_3_firmwareintegrated_lights-out_4_firmwareintegrated_lights-outHP Integrated Lights-Out 3 (iLO 3), HPE Integrated Lights-Out 4 (iLO 4)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-4392
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-5.4||MEDIUM
EPSS-0.27% / 50.34%
||
7 Day CHG-0.04%
Published-06 Aug, 2018 | 20:00
Updated-06 Aug, 2024 | 00:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote cross site scripting vulnerability has been identified in HP Business Service Management software v9.1x, v9.20 - v9.25IP1.

Action-Not Available
Vendor-HP Inc.Hewlett Packard Enterprise (HPE)
Product-business_service_managementHP Business Service Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-43524
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-8.7||HIGH
EPSS-0.26% / 49.44%
||
7 Day CHG~0.00%
Published-03 Jan, 2023 | 19:18
Updated-10 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators - Orchestrator 9.2.1.40179 and below, - Orchestrator 9.1.4.40436 and below, - Orchestrator 9.0.7.40110 and below, - Orchestrator 8.10.23.40015 and below, - Any older branches of Orchestrator not specifically mentioned.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)Aruba Networks
Product-aruba_edgeconnect_enterprise_orchestratorAruba EdgeConnect Enterprise Orchestration Software
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-37926
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-5.5||MEDIUM
EPSS-0.10% / 28.42%
||
7 Day CHG+0.02%
Published-30 Nov, 2022 | 19:24
Updated-24 Apr, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability within the web-based management interface of EdgeConnect Enterprise could allow a remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface by uploading a specially crafted file. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface in Aruba EdgeConnect Enterprise Software version(s): ECOS 9.2.1.0 and below; ECOS 9.1.3.0 and below; ECOS 9.0.7.0 and below; ECOS 8.3.7.1 and below.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)Aruba Networks
Product-edgeconnect_enterpriseAruba EdgeConnect Enterprise Software
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-43532
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-8||HIGH
EPSS-0.11% / 29.84%
||
7 Day CHG~0.00%
Published-03 Jan, 2023 | 19:55
Updated-10 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x: 6.10.7 and below and ClearPass Policy Manager 6.9.x: 6.9.12 and below.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)Aruba Networks
Product-clearpass_policy_managerAruba ClearPass Policy Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-9281
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.30% / 52.90%
||
7 Day CHG~0.00%
Published-17 Jan, 2019 | 01:00
Updated-06 Aug, 2024 | 08:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Logon Manager in SAS Web Infrastructure Platform before 9.4M3 allows reflected XSS on the Timeout page.

Action-Not Available
Vendor-sasn/aHewlett Packard Enterprise (HPE)Oracle CorporationMicrosoft CorporationIBM CorporationLinux Kernel Organization, Inc
Product-hp-ux_ipfiltersolarislinux_kernelwindowsaixweb_infrastructure_platformn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-28624
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-4.8||MEDIUM
EPSS-0.46% / 62.93%
||
7 Day CHG~0.00%
Published-08 Jul, 2022 | 12:36
Updated-03 Aug, 2024 | 05:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A potential security vulnerability has been identified in certain HPE FlexNetwork and FlexFabric switch products. The vulnerability could be remotely exploited to allow cross site scripting (XSS). HPE has made the following software updates to resolve the vulnerability. HPE FlexNetwork 5130EL_7.10.R3507P02 and HPE FlexFabric 5945_7.10.R6635.

Action-Not Available
Vendor-n/aHewlett Packard Enterprise (HPE)
Product-flexfabric_5945_firmwareflexnetwork_5130_eiflexfabric_5945flexnetwork_5130_ei_firmwareHPE FlexNetwork 5130 EI Switch Series; HPE FlexFabric 5945 Switch Series
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-1389
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-9.55% / 92.54%
||
7 Day CHG~0.00%
Published-28 May, 2015 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Aruba Networks ClearPass Policy Manager (CPPM) before 6.4.5 allows remote attackers to inject arbitrary web script or HTML via the username parameter to tips/tipsLoginSubmit.action.

Action-Not Available
Vendor-n/aAruba Networks
Product-clearpass_policy_managern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-6620
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 49.43%
||
7 Day CHG~0.00%
Published-07 Nov, 2014 | 19:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in Aruba Networks ClearPass before 6.3.6 and 6.4.x before 6.4.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aAruba Networks
Product-clearpassn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-6623
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.30% / 53.03%
||
7 Day CHG~0.00%
Published-07 Nov, 2014 | 19:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in the Insight module in Aruba Networks ClearPass before 6.3.6 and 6.4.x before 6.4.1 allows remote attackers to hijack the authentication of a logged in user via unspecified vectors.

Action-Not Available
Vendor-n/aAruba Networks
Product-clearpassn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-23675
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-4.8||MEDIUM
EPSS-0.28% / 51.28%
||
7 Day CHG~0.00%
Published-17 May, 2022 | 17:58
Updated-03 Aug, 2024 | 03:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote authenticated stored cross-site scripting (xss) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.

Action-Not Available
Vendor-n/aAruba Networks
Product-clearpass_policy_managerAruba ClearPass Policy Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-23674
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 48.70%
||
7 Day CHG~0.00%
Published-17 May, 2022 | 18:05
Updated-03 Aug, 2024 | 03:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote authenticated stored cross-site scripting (xss) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.

Action-Not Available
Vendor-n/aAruba Networks
Product-clearpass_policy_managerAruba ClearPass Policy Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-23056
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-5.5||MEDIUM
EPSS-0.03% / 7.49%
||
7 Day CHG~0.00%
Published-28 Jan, 2025 | 17:11
Updated-28 Mar, 2025 | 19:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Stored Cross-Site Scripting (XSS) Vulnerability in HPE Aruba Networking Fabric Composer Web Management Interface

A vulnerability in the web management interface of HPE Aruba Networking Fabric Composer could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack. If successfully exploited, a threat actor could run arbitrary script code in a victim's web browser within the context of the compromised interface.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)Aruba Networks
Product-fabric_composerHPE Aruba Networking Fabric Composer (AFC)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-24627
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-5.4||MEDIUM
EPSS-0.34% / 56.19%
||
7 Day CHG~0.00%
Published-02 Oct, 2020 | 18:50
Updated-04 Aug, 2024 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote stored xss vulnerability was discovered in HPE KVM IP Console Switches version(s): G2 4x1Ex32 Prior to 2.8.3.

Action-Not Available
Vendor-n/aHewlett Packard Enterprise (HPE)
Product-kvm_ip_console_switch_g2_firmwarekvm_ip_console_switch_g2HPE KVM IP Console Switches
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-23057
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-5.5||MEDIUM
EPSS-0.03% / 7.49%
||
7 Day CHG~0.00%
Published-28 Jan, 2025 | 17:12
Updated-28 Mar, 2025 | 19:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Stored Cross-Site Scripting (XSS) Vulnerability in HPE Aruba Networking Fabric Composer Web Management Interface

A vulnerability in the web management interface of HPE Aruba Networking Fabric Composer could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack. If successfully exploited, a threat actor could run arbitrary script code in a victim's web browser within the context of the compromised interface.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)Aruba Networks
Product-fabric_composerHPE Aruba Networking Fabric Composer (AFC)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-9002
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-6.1||MEDIUM
EPSS-0.45% / 62.87%
||
7 Day CHG~0.00%
Published-06 Aug, 2018 | 20:00
Updated-05 Aug, 2024 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

All versions of Aruba ClearPass prior to 6.6.8 contain reflected cross-site scripting vulnerabilities. By exploiting this vulnerability, an attacker who can trick a logged-in ClearPass administrative user into clicking a link could obtain sensitive information, such as session cookies or passwords. The vulnerability requires that an administrative users click on the malicious link while currently logged into ClearPass in the same browser.

Action-Not Available
Vendor-HP Inc.Hewlett Packard Enterprise (HPE)
Product-aruba_clearpass_policy_managerAruba ClearPass
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-5798
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-6.1||MEDIUM
EPSS-5.88% / 90.23%
||
7 Day CHG~0.00%
Published-15 Feb, 2018 | 22:00
Updated-16 Sep, 2024 | 22:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Remote Code Execution vulnerability in HPE OpenCall Media Platform (OCMP) was found. The vulnerability impacts OCMP versions prior to 3.4.2 RP201 (for OCMP 3.x), all versions prior to 4.4.7 RP702 (for OCMP 4.x).

Action-Not Available
Vendor-HP Inc.Hewlett Packard Enterprise (HPE)
Product-opencall_media_platformOpenCall Media Platform (OCMP)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-23055
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-5.5||MEDIUM
EPSS-0.03% / 7.49%
||
7 Day CHG~0.00%
Published-28 Jan, 2025 | 17:11
Updated-28 Mar, 2025 | 19:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Stored Cross-Site Scripting (XSS) Vulnerability in HPE Aruba Networking Fabric Composer Web Management Interface

A vulnerability in the web management interface of HPE Aruba Networking Fabric Composer could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack. If successfully exploited, a threat actor could run arbitrary script code in a victim's web browser within the context of the compromised interface.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)Aruba Networks
Product-fabric_composerHPE Aruba Networking Fabric Composer (AFC)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-37422
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-8.1||HIGH
EPSS-0.12% / 31.05%
||
7 Day CHG~0.00%
Published-22 Aug, 2023 | 17:57
Updated-03 Oct, 2024 | 15:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Stored Cross-Site Scripting Vulnerabilities (XSS) in EdgeConnect SD-WAN Orchestrator Web Administration Interface

Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.

Action-Not Available
Vendor-Aruba NetworksHewlett Packard Enterprise (HPE)
Product-edgeconnect_sd-wan_orchestratorEdgeConnect SD-WAN Orchestrator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-37421
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-8.1||HIGH
EPSS-0.12% / 31.05%
||
7 Day CHG~0.00%
Published-22 Aug, 2023 | 17:57
Updated-03 Oct, 2024 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Stored Cross-Site Scripting Vulnerabilities (XSS) in EdgeConnect SD-WAN Orchestrator Web Administration Interface

Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.

Action-Not Available
Vendor-Aruba NetworksHewlett Packard Enterprise (HPE)
Product-edgeconnect_sd-wan_orchestratorEdgeConnect SD-WAN Orchestrator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-4132
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-3.5||LOW
EPSS-0.28% / 51.32%
||
7 Day CHG~0.00%
Published-28 May, 2015 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in Aruba Networks ClearPass Policy Manager (CPPM) before 6.4.5 allow remote administrators to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-n/aAruba Networks
Product-clearpass_policy_managern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-37892
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-5.4||MEDIUM
EPSS-0.45% / 62.51%
||
7 Day CHG~0.00%
Published-07 Oct, 2022 | 00:00
Updated-03 Aug, 2024 | 10:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the Aruba InstantOS and ArubaOS 10 web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface of Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5.4.23 and below; Aruba InstantOS 8.6.x: 8.6.0.18 and below; Aruba InstantOS 8.7.x: 8.7.1.9 and below; Aruba InstantOS 8.10.x: 8.10.0.1 and below; ArubaOS 10.3.x: 10.3.1.0 and below; Aruba has released upgrades for Aruba InnstantOS that address this security vulnerability.

Action-Not Available
Vendor-n/aSiemens AGAruba Networks
Product-arubaosscalance_w1750d_firmwareinstantscalance_w1750dAruba Access Points: 100 Series; 103 Series; 110 Series; 120 Series; 130 Series; 200 Series; 207 Series; 210 Series; 220 Series; 260 Series; 300 Series; 303 Series; 310 Series; 318 Series Hardened Access Points; 320 Series; 330 Series; 340 Series; 370 Series; 500 Series; 510 Series; 530 Series; 550 Series; 630 Series; 650 Series;
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-51773
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-4.8||MEDIUM
EPSS-0.08% / 23.63%
||
7 Day CHG~0.00%
Published-03 Dec, 2024 | 20:11
Updated-07 Apr, 2025 | 15:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Stored Cross-Site Scripting (XSS) in HPE Aruba Networking ClearPass Policy Manager Web-based Management Interface

A vulnerability in the HPE Aruba Networking ClearPass Policy Manager web-based management interface could allow an authenticated remote Attacker to conduct a stored cross-site scripting (XSS) attack. Successful exploitation could enable a threat actor to perform any actions the user is authorized to do, including accessing the user's data and altering information within the user's permissions. This could lead to data modification, deletion, or theft, including unauthorized access to files, file deletion, or the theft of session cookies, which an attacker could use to hijack a user's session.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)Aruba Networks
Product-clearpass_policy_managerHPE Aruba Networking ClearPass Policy Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-37715
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-4.8||MEDIUM
EPSS-0.41% / 60.54%
||
7 Day CHG~0.00%
Published-26 Aug, 2021 | 19:40
Updated-04 Aug, 2024 | 01:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote cross-site scripting (XSS) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.13.0. Aruba has released upgrades for the Aruba AirWave Management Platform that address this security vulnerability.

Action-Not Available
Vendor-n/aAruba Networks
Product-airwaveAruba AirWave Management Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-29146
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 53.02%
||
7 Day CHG~0.00%
Published-29 Apr, 2021 | 11:21
Updated-03 Aug, 2024 | 22:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote cross-site scripting (XSS) vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability.

Action-Not Available
Vendor-n/aAruba Networks
Product-clearpassAruba ClearPass Policy Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-26968
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 43.61%
||
7 Day CHG~0.00%
Published-05 Mar, 2021 | 16:35
Updated-03 Aug, 2024 | 20:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote authenticated stored cross-site scripting (xss) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. A vulnerability in the web-based management interface of AirWave could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface.

Action-Not Available
Vendor-n/aAruba Networks
Product-airwaveAruba AirWave Management Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-5800
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-6
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-5.4||MEDIUM
EPSS-0.24% / 46.41%
||
7 Day CHG~0.00%
Published-15 Feb, 2018 | 22:00
Updated-17 Sep, 2024 | 00:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Remote Cross-Site Scripting (XSS) vulnerability in HPE Operations Bridge Analytics version v3.0 was found.

Action-Not Available
Vendor-HP Inc.Hewlett Packard Enterprise (HPE)
Product-operations_bridge_analyticsOperations Bridge Analytics
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-5809
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.08% / 23.46%
||
7 Day CHG~0.00%
Published-30 Jul, 2024 | 06:00
Updated-28 May, 2025 | 00:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Ajax Contact Form <= 2.2.2 - Reflected Cross-Site Scripting

The WP Ajax Contact Form WordPress plugin through 2.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against admin users

Action-Not Available
Vendor-masdiblogsUnknownwp_ajax_contact_form
Product-wp_ajax_contact_formWP Ajax Contact Formwp_ajax_contact_form_wordpress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-45815
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 47.16%
||
7 Day CHG~0.00%
Published-30 Dec, 2021 | 12:53
Updated-04 Aug, 2024 | 04:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Quectel UC20 UMTS/HSPA+ UC20 6.3.14 is affected by a Cross Site Scripting (XSS) vulnerability.

Action-Not Available
Vendor-quecteln/a
Product-uc20_firmwareuc20n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-7400
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-7.38% / 91.34%
||
7 Day CHG~0.00%
Published-05 Feb, 2019 | 05:00
Updated-04 Aug, 2024 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Rukovoditel before 2.4.1 allows XSS.

Action-Not Available
Vendor-rukovoditeln/a
Product-rukovoditeln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-5737
Matching Score-4
Assigner-CERT.PL
ShareView Details
Matching Score-4
Assigner-CERT.PL
CVSS Score-6.3||MEDIUM
EPSS-12.48% / 93.66%
||
7 Day CHG~0.00%
Published-28 Jun, 2024 | 11:29
Updated-01 Aug, 2024 | 21:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTML Injection in AdmirorFrames Joomla! Extension

Script afGdStream.php in AdmirorFrames Joomla! extension doesn’t specify a content type and as a result default (text/html) is used. An attacker may embed HTML tags directly in image data which is rendered by a webpage as HTML. This issue affects AdmirorFrames: before 5.0.

Action-Not Available
Vendor-admiror-design-studioNikola Vasilijevskiadmiror-design-studio
Product-admirorframesAdmirorFramesadmiror_frames
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-8758
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.79% / 72.94%
||
7 Day CHG~0.00%
Published-13 Sep, 2017 | 01:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Microsoft Exchange Server 2016 allows an elevation of privilege vulnerability when Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests, aka "Microsoft Exchange Cross-Site Scripting Vulnerability."

Action-Not Available
Vendor-Microsoft Corporation
Product-exchange_serverMicrosoft Exchange Server 2016
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2011-2706
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.23% / 45.23%
||
7 Day CHG~0.00%
Published-14 Jan, 2020 | 20:58
Updated-06 Aug, 2024 | 23:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross-Site Scripting (XSS) vulnerability exists in the reorder administrator functions in sNews 1.71.

Action-Not Available
Vendor-snewscmssNews
Product-snewssNews
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-57423
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.07% / 22.49%
||
7 Day CHG~0.00%
Published-26 Feb, 2025 | 00:00
Updated-07 Apr, 2025 | 18:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross Site Scripting vulnerability in CloudClassroom-PHP Project v1.0 allows a remote attacker to execute arbitrary code via the exid parameter of the assessment function.

Action-Not Available
Vendor-vishalmathurn/a
Product-cloudclassroom-php_projectn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-57427
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.12% / 31.96%
||
7 Day CHG~0.00%
Published-06 Feb, 2025 | 00:00
Updated-24 Jun, 2025 | 00:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PHPJabbers Cinema Booking System v2.0 is vulnerable to reflected cross-site scripting (XSS). Multiple endpoints improperly handle user input, allowing malicious scripts to execute in a victim’s browser. Attackers can craft malicious links to steal session cookies or conduct phishing attacks.

Action-Not Available
Vendor-n/aPHPJabbers Ltd.
Product-cinema_booking_systemn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-46448
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.18% / 40.04%
||
7 Day CHG~0.00%
Published-01 Nov, 2023 | 00:00
Updated-12 Sep, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reflected Cross-Site Scripting (XSS) vulnerability in dmpop Mejiro Commit Versions Prior To 3096393 allows attackers to run arbitrary code via crafted string in metadata of uploaded images.

Action-Not Available
Vendor-dmpopn/a
Product-mejiron/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-57026
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.05% / 14.69%
||
7 Day CHG~0.00%
Published-24 Feb, 2025 | 00:00
Updated-03 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TawkTo Widget Version <= 1.3.7 is vulnerable to Cross Site Scripting (XSS) due to processing user input in a way that allows JavaScript execution.

Action-Not Available
Vendor-tawkn/a
Product-tawk.ton/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-47164
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-6.1||MEDIUM
EPSS-0.27% / 49.83%
||
7 Day CHG~0.00%
Published-10 Nov, 2023 | 08:59
Updated-03 Sep, 2024 | 17:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting vulnerability in HOTELDRUID 3.0.5 and earlier allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product.

Action-Not Available
Vendor-digitaldruidDigitalDruid.Net
Product-hoteldruidHOTELDRUID
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-46491
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.09% / 26.49%
||
7 Day CHG~0.00%
Published-26 Oct, 2023 | 00:00
Updated-12 Sep, 2024 | 20:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ZenTao Biz version 4.1.3 and before has a Cross Site Scripting (XSS) vulnerability in the Version Library.

Action-Not Available
Vendor-zentaon/a
Product-bizn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-5711
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.1||HIGH
EPSS-0.19% / 40.78%
||
7 Day CHG-0.07%
Published-08 Jul, 2024 | 00:00
Updated-01 Aug, 2024 | 21:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS in stitionai/devika

A stored Cross-Site Scripting (XSS) vulnerability exists in the stitionai/devika chat feature, allowing attackers to inject malicious payloads into the chat input. This vulnerability is due to the lack of input validation and sanitization on both the frontend and backend components of the application. Specifically, the application fails to sanitize user input in the chat feature, leading to the execution of arbitrary JavaScript code in the context of the user's browser session. This issue affects all versions of the application. The impact of this vulnerability includes the potential for stolen credentials, extraction of sensitive information from chat logs, projects, and other data accessible through the application.

Action-Not Available
Vendor-stitionaistitionaistitionai
Product-devikastitionai/devikadevika
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-5212
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.30% / 52.55%
||
7 Day CHG~0.00%
Published-13 Feb, 2020 | 23:06
Updated-06 Aug, 2024 | 17:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site Scripting (XSS) in EasyXDM before 2.4.18 allows remote attackers to inject arbitrary web script or html via the easyxdm.swf file.

Action-Not Available
Vendor-easyxdmn/a
Product-easyxdmn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-57370
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.02% / 2.84%
||
7 Day CHG~0.00%
Published-17 Jan, 2025 | 00:00
Updated-23 Jan, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting vulnerability in sunnygkp10 Online Exam System master version allows a remote attacker to obtain sensitive information via the w parameter.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 181
  • 182
  • Next
Details not found