Sign-up

ID

VAR-201906-0679


CVE

CVE-2019-11982


TITLE

HPE Integrated Lights-Out 4 and Integrated Lights-Out 5 Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2019-005303

DESCRIPTION

A remote cross site scripting vulnerability was identified in HPE Integrated Lights-Out 4 (iLO 4) earlier than v2.61b for Gen9 servers and Integrated Lights-Out 5 (iLO 5) for Gen10 Servers earlier than version v1.39. HP Integrated Lights-Out is prone to following security vulnerabilities: 1. A buffer-overflow vulnerability 2. Multiple unspecified cross-site scripting vulnerabilities An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks, execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. HPE Integrated Lights-Out is a set of remote control solutions from Hewlett Packard Enterprise (HPE). This solution enables remote monitoring and operation and maintenance of IT assets such as servers. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Trust: 1.98

sources: NVD: CVE-2019-11982 // JVNDB: JVNDB-2019-005303 // BID: 108832 // VULHUB: VHN-143683

AFFECTED PRODUCTS

vendor:hpmodel:integrated lights-out 5scope:lteversion:1.39

Trust: 1.0

vendor:hpmodel:integrated lights-out 4scope:lteversion:2.61b

Trust: 1.0

vendor:hewlett packardmodel:hpe integrated lights-out 4scope: - version: -

Trust: 0.8

vendor:hewlett packardmodel:hpe integrated lights-out 5scope: - version: -

Trust: 0.8

vendor:hpmodel:integrated lights-outscope:eqversion:51.40

Trust: 0.3

vendor:hpmodel:integrated lights-outscope:eqversion:51.39

Trust: 0.3

vendor:hpmodel:integrated lights-outscope:eqversion:51.35

Trust: 0.3

vendor:hpmodel:integrated lights-outscope:eqversion:51.30

Trust: 0.3

vendor:hpmodel:integrated lights-outscope:eqversion:51.11

Trust: 0.3

vendor:hpmodel:integrated lights-outscope:eqversion:50

Trust: 0.3

vendor:hpmodel:integrated lights-out 2.61bscope:eqversion:4

Trust: 0.3

vendor:hpmodel:integrated lights-outscope:eqversion:42.61

Trust: 0.3

vendor:hpmodel:integrated lights-outscope:eqversion:42.60

Trust: 0.3

vendor:hpmodel:integrated lights-outscope:eqversion:42.53

Trust: 0.3

vendor:hpmodel:integrated lights-outscope:eqversion:42.50

Trust: 0.3

vendor:hpmodel:integrated lights-outscope:eqversion:42.44

Trust: 0.3

vendor:hpmodel:integrated lights-outscope:eqversion:42.22

Trust: 0.3

vendor:hpmodel:integrated lights-outscope:eqversion:42.20

Trust: 0.3

vendor:hpmodel:integrated lights-outscope:eqversion:42.03

Trust: 0.3

vendor:hpmodel:integrated lights-outscope:eqversion:41.32

Trust: 0.3

vendor:hpmodel:integrated lights-outscope:eqversion:41.30

Trust: 0.3

vendor:hpmodel:integrated lights-outscope:eqversion:41.22

Trust: 0.3

vendor:hpmodel:integrated lights-outscope:eqversion:41.13

Trust: 0.3

vendor:hpmodel:integrated lights-outscope:eqversion:41.11

Trust: 0.3

vendor:hpmodel:integrated lights-outscope:eqversion:42.10

Trust: 0.3

vendor:hpmodel:integrated lights-out 1.40ascope:neversion:5

Trust: 0.3

vendor:hpmodel:integrated lights-outscope:neversion:42.70

Trust: 0.3

sources: BID: 108832 // JVNDB: JVNDB-2019-005303 // NVD: CVE-2019-11982

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-11982
value: HIGH

Trust: 1.0

NVD: CVE-2019-11982
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201906-179
value: HIGH

Trust: 0.6

VULHUB: VHN-143683
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-11982
severity: HIGH
baseScore: 7.6
vectorString: AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 4.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-143683
severity: HIGH
baseScore: 7.6
vectorString: AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 4.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-11982
baseSeverity: HIGH
baseScore: 8.3
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.6
impactScore: 6.0
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-143683 // JVNDB: JVNDB-2019-005303 // CNNVD: CNNVD-201906-179 // NVD: CVE-2019-11982

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-143683 // JVNDB: JVNDB-2019-005303 // NVD: CVE-2019-11982

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-179

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201906-179

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-005303

PATCH
title:hpesbhf03917en_usurl:https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03917en_us
Trust: 0.8
title:HPE Integrated Lights-Out Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93270
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-005303 // 
            
            
            
            CNNVD: CNNVD-201906-179

EXTERNAL IDS
db:NVDid:CVE-2019-11982
Trust: 2.8
db:JVNDBid:JVNDB-2019-005303
Trust: 0.8
db:CNNVDid:CNNVD-201906-179
Trust: 0.7
db:BIDid:108832
Trust: 0.3
db:VULHUBid:VHN-143683
Trust: 0.1
sources:
            
            
            VULHUB: VHN-143683 // 
            
            
            
            BID: 108832 // 
            
            
            
            JVNDB: JVNDB-2019-005303 // 
            
            
            
            CNNVD: CNNVD-201906-179 // 
            
            
            
            NVD: CVE-2019-11982

REFERENCES
url:https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-hpesbhf03917en_us
Trust: 1.9
url:https://nvd.nist.gov/vuln/detail/cve-2019-11982
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11982
Trust: 0.8
url:http://www.hp.com
Trust: 0.3
url:https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-hpesbhf03917en_us
Trust: 0.1
sources:
            
            
            VULHUB: VHN-143683 // 
            
            
            
            BID: 108832 // 
            
            
            
            JVNDB: JVNDB-2019-005303 // 
            
            
            
            CNNVD: CNNVD-201906-179 // 
            
            
            
            NVD: CVE-2019-11982

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 108832

SOURCES
db:VULHUBid:VHN-143683
db:BIDid:108832
db:JVNDBid:JVNDB-2019-005303
db:CNNVDid:CNNVD-201906-179
db:NVDid:CVE-2019-11982

LAST UPDATE DATE
2024-11-23T21:37:14.266000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-143683date:2019-06-07T00:00:00
db:BIDid:108832date:2019-05-17T00:00:00
db:JVNDBid:JVNDB-2019-005303date:2019-06-18T00:00:00
db:CNNVDid:CNNVD-201906-179date:2019-06-10T00:00:00
db:NVDid:CVE-2019-11982date:2024-11-21T04:22:06.240

SOURCES RELEASE DATE
db:VULHUBid:VHN-143683date:2019-06-05T00:00:00
db:BIDid:108832date:2019-05-17T00:00:00
db:JVNDBid:JVNDB-2019-005303date:2019-06-18T00:00:00
db:CNNVDid:CNNVD-201906-179date:2019-06-05T00:00:00
db:NVDid:CVE-2019-11982date:2019-06-05T17:29:00.227