HP Operations Orchestration 10.x < 10.22.001 XSRF

medium Nessus Plugin ID 87172

Synopsis

The remote host is affected by an unspecified cross-site request forgery vulnerability.

Description

The version of HP Operations Orchestration installed on the remote host is 10.x prior to 10.22.001. It is, therefore, affected by a unspecified cross-site request forgery (XSRF) vulnerability. A remote attacker can exploit this, by tricking a user into following a specially crafted link, to upload arbitrary code or hijack the user authentication.

Note: Per the vendor advisory, if a user has a version installed prior to 10.22, and they apply the 10.50 patch, the CSRF setting will be automatically enabled. If the user has the 10.22 patch, then they have to manually enable the CSRF protection setting.

Solution

Upgrade to HP Operations Orchestration version 10.22.001 or later.

See Also

http://www.nessus.org/u?472e0985

http://www.nessus.org/u?bc8c05e2

Plugin Details

Severity: Medium

ID: 87172

File Name: hp_operations_orchestration_hpsbgn03521.nasl

Version: 1.10

Type: remote

Family: CGI abuses

Published: 12/2/2015

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:hp:operations_orchestration

Required KB Items: installed_sw/HP Operations Orchestration

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/18/2015

Vulnerability Publication Date: 11/18/2015

Reference Information

CVE: CVE-2015-5451

BID: 77632

HP: HPSBGN03521, SSRT102923, emr_na-c04894110