HP Client Security Manager 8.3.4 Cross-Site Scripting Vulnerability

Title: HP Client Security Manager 8.3.4 Cross-Site Scripting Vulnerability
Advisory ID: ZSL-2016-5299
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 28.01.2016
HP Client Security Manager provides enhanced Windows login and website single-sign-on capabilities. Security Manager is also the host for HP Client Security plugins and should be installed before other Client Security modules. This package is provided for supported notebook models running a supported operating system.
HP Client Security Manager is prone to XSS attacks because of lacking sanitization of data from HTML forms. It makes any site vulnerable even without XSS presence on the site.
HP Inc. - http://www.hp.com
Affected Version
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vendor Status
[09.10.2015] Vulnerability discovered.
[10.10.2015] Vendor contacted.
[12.10.2015] Vendor responds asking more details.
[13.10.2015] Sent details to the vendor.
[04.11.2015] Vendor is working on the issue.
[11.01.2016] Asked vendor for status update.
[17.01.2016] No reply from the vendor.
[18.01.2016] Asked vendor for status update.
[27.01.2016] No response from the vendor.
[28.01.2016] Public security advisory released.
[28.01.2016] Vendor promises fix in the next release on 26.02.2016.
Vulnerability discovered by Ewerson Guimaraes - <crash@zeroscience.mk>
[1] https://packetstormsecurity.com/files/135570
[2] https://cxsecurity.com/issue/WLB-2016020023
[3] http://www.securityfocus.com/bid/82406
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/110333
[28.01.2016] - Initial release
[31.01.2016] - Added vendor status
[02.02.2016] - Added reference [1] and [2]
[14.02.2016] - Added reference [3] and [4]
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk