Synopsis
The remote web server has multiple vulnerabilities.
Description
According to its self-reported version number, the HP System Management Homepage install on the remote host is earlier than 6.0.0.96 / 6.0.0-95. Such versions are potentially affected by the following vulnerabilities :
- A cross-site scripting (XSS) vulnerability due to a failure to sanitize UTF-7 encoded input. Browsers are only affected if encoding is set to auto-select.
(CVE-2008-1468)
- An integer overflow in the libxml2 library that can result in a heap overflow. (CVE-2008-4226)
- A buffer overflow in the PHP mbstring extension.
(CVE-2008-5557)
- An unspecified XSS in PHP when 'display_errors' is enabled. (CVE-2008-5814)
- Multiple denial of service vulnerabilities in OpenSSL DTLS. (CVE-2009-1377, CVE-2009-1378, CVE-2009-1379, CVE-2009-1386, CVE-2009-1387)
- A cross-site scripting vulnerability due to a failure to sanitize input to the 'servercert' parameter of '/proxy/smhu/getuiinfo'. (CVE-2009-4185)
- An unspecified vulnerability that could allow an attacker to access sensitive information, modify data, or cause a denial of service. (CVE-2010-1034)
Solution
Upgrade to HP System Management Homepage 6.0.0.96 (Windows) / 6.0.0-95 (Linux) or later.