CVE-2009-3843

critical

Description

HP Operations Manager 8.10 on Windows contains a "hidden account" in the XML file that specifies Tomcat users, which allows remote attackers to conduct unrestricted file upload attacks, and thereby execute arbitrary code, by using the org.apache.catalina.manager.HTMLManagerServlet class to make requests to manager/html/upload.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/54361

http://www.zerodayinitiative.com/advisories/ZDI-09-085/

http://www.osvdb.org/60317

http://securitytracker.com/id?1023222

http://secunia.com/advisories/37444

http://marc.info/?l=bugtraq&m=125873415424980&w=2

Details

Source: Mitre, NVD

Published: 2009-11-24

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.78968