← Advisories

HP Client Security Manager 8.3.4 Cross-Site Scripting Vulnerability

Medium
Advisory ID
ZSL-2016-5299
Release Date
28 January 2016
Vendor
HP Inc. - http://www.hp.com
Affected Version
8.3.4.1811
CVE
N/A
Tested On
Microsoft Windows 7 Professional SP1 (EN), Microsoft Windows 7 Ultimate SP1 (EN)
Summary

HP Client Security Manager provides enhanced Windows login and website single-sign-on capabilities. Security Manager is also the host for HP Client Security plugins and should be installed before other Client Security modules. This package is provided for supported notebook models running a supported operating system.

Description

HP Client Security Manager is prone to XSS attacks because of lacking sanitization of data from HTML forms. It makes any site vulnerable even without XSS presence on the site.

Proof of Concept
hpcsm_xss.txtTXT
Disclosure Timeline
09.10.2015Vulnerability discovered.
10.10.2015Vendor contacted.
12.10.2015Vendor responds asking more details.
13.10.2015Sent details to the vendor.
04.11.2015Vendor is working on the issue.
11.01.2016Asked vendor for status update.
17.01.2016No reply from the vendor.
18.01.2016Asked vendor for status update.
27.01.2016No response from the vendor.
28.01.2016Public security advisory released.
28.01.2016Vendor promises fix in the next release on 26.02.2016.
Credits
Vulnerability discovered by Ewerson Guimaraes
References
[1]https://packetstormsecurity.com/files/135570
[2]https://cxsecurity.com/issue/WLB-2016020023
[3]http://www.securityfocus.com/bid/82406
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/110333
Changelog
28.01.2016Initial release
31.01.2016Added vendor status
02.02.2016Added reference [1] and [2]
14.02.2016Added reference [3] and [4]