icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

HP Power Manager < 4.2.10 Multiple Vulnerabilities

Synopsis

The power management application installed on the remote host is vulnerable to multiple attack vectors.

Description

The installed version of HP Power Manager is earlier than 4.2.10. Such versions are potentially affected by the following vulnerabilities :

- Adequate bounds checking is not performed on the 'Login' parameter of the login page, which could lead to a buffer overflow. A remote unauthenticated attacker could exploit this to execute arbitrary code as SYSTEM. (CVE-2009-2685)

- Adequate bounds checking is not performed on the 'fileName' or 'LogType' parameter of 'formExportDataLogs', which could lead to a buffer overflow. A remote authenticated attacker could exploit this to execute arbitrary code as SYSTEM. (CVE-2009-3999)

- The 'filename' parameter of 'formExportDataLogs' has a directory traversal vulnerability. A remote authenticated attacker could exploit this to overwrite arbitrary files with almost arbitrary data. This could result in a denial of service, or arbitrary code execution as SYSTEM. (CVE-2009-4900)

Solution

Upgrade to HP Power Manager 4.2.10 or later.