CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

HP : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-14359 79 XSS 2017-11-03 2017-11-17
3.5
None Remote Medium Single system None Partial None
A potential security vulnerability has been identified in HPE Performance Center versions 12.20. The vulnerability could be remotely exploited to allow cross-site scripting.
2 CVE-2017-14358 601 2017-10-31 2017-11-21
5.8
None Remote Medium Not required Partial Partial None
A URL redirection to untrusted site vulnerability in HP ArcSight ESM and HP ArcSight ESM Express, in any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1. This vulnerability could be exploited remotely to allow URL redirection to untrusted site.
3 CVE-2017-14357 79 XSS 2017-10-31 2017-11-21
4.3
None Remote Medium Not required None Partial None
A Reflected and Stored Cross-Site Scripting (XSS) vulnerability in HP ArcSight ESM and HP ArcSight ESM Express, in any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1. This vulnerability could be exploited remotely to allow Reflected and Stored Cross-Site Scripting (XSS)
4 CVE-2017-14356 89 Sql 2017-10-31 2017-11-18
7.5
None Remote Low Not required Partial Partial Partial
An SQL Injection vulnerability in HP ArcSight ESM and HP ArcSight ESM Express, in any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1. This vulnerability could be exploited remotely to allow SQL injection.
5 CVE-2017-14354 79 XSS 2017-10-05 2017-11-10
4.3
None Remote Medium Not required None Partial None
A remote cross-site scripting vulnerability in HP UCMDB Foundation Software versions 10.10, 10.11, 10.20, 10.21, 10.22, 10.30, 10.31, 10.32, and 10.33 could be remotely exploited to allow cross-site scripting.
6 CVE-2017-14353 94 Exec Code 2017-10-05 2017-11-10
6.8
None Remote Medium Not required Partial Partial Partial
A remote code execution vulnerability in HP UCMDB Foundation Software versions 10.10, 10.11, 10.20, 10.21, 10.22, 10.30, 10.31, 10.32, and 10.33, could be remotely exploited to allow code execution.
7 CVE-2017-14352 79 XSS 2017-09-29 2017-10-06
4.3
None Remote Medium Not required None Partial None
A potential security vulnerability has been identified in HP UCMDB Configuration Manager versions 10.10, 10.11, 10.20, 10.21, 10.22, 10.23. These vulnerabilities could be remotely exploited to allow cross-site scripting.
8 CVE-2017-14351 Exec Code 2017-09-29 2017-11-10
7.5
None Remote Low Not required Partial Partial Partial
A potential security vulnerability has been identified in HP UCMDB Configuration Manager versions 10.10, 10.11, 10.20, 10.21, 10.22, 10.23. These vulnerabilities could be remotely exploited to allow code execution.
9 CVE-2017-14350 306 Exec Code 2017-09-29 2017-10-05
10.0
None Remote Low Not required Complete Complete Complete
A potential security vulnerability has been identified in HPE Application Performance Management (BSM) Platform versions 9.26, 9.30, 9.40. The vulnerability could be remotely exploited to allow code execution.
10 CVE-2017-14349 284 2017-09-29 2017-10-11
7.5
None Remote Low Not required Partial Partial Partial
An authentication vulnerability in HPE SiteScope product versions 11.2x and 11.3x, allows read-only accounts to view all SiteScope interfaces and monitors, potentially exposing sensitive data.
11 CVE-2017-13991 200 +Info 2017-09-29 2017-10-05
5.0
None Remote Low Not required Partial None None
An information leakage vulnerability in ArcSight ESM and ArcSight ESM Express, any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1, allows disclosure of product license features.
12 CVE-2017-13990 200 +Info 2017-09-29 2017-10-05
5.0
None Remote Low Not required Partial None None
An information leakage vulnerability in ArcSight ESM and ArcSight ESM Express, any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1, allows disclosure of Apache Tomcat application server version.
13 CVE-2017-13989 284 2017-09-29 2017-10-06
5.5
None Remote Low Single system Partial Partial None
An improper access control vulnerability in ArcSight ESM and ArcSight ESM Express, any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1, allows unauthorized users to retrieve or modify storage information.
14 CVE-2017-13988 284 2017-09-29 2017-10-06
4.0
None Remote Low Single system None Partial None
An improper access control vulnerability in ArcSight ESM and ArcSight ESM Express, any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1, allows unauthorized users to alter the maximum size of storage groups and enable/disable the setting for the 'follow schedule' function.
15 CVE-2017-13987 284 2017-09-29 2017-10-05
4.0
None Remote Low Single system Partial None None
An insufficient access control vulnerability in ArcSight ESM and ArcSight ESM Express, any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1, allows an unauthorized user to download log files.
16 CVE-2017-13986 79 XSS 2017-09-29 2017-10-05
4.3
None Remote Medium Not required None Partial None
A reflected Cross-Site Scripting(XSS) vulnerability in ArcSight ESM and ArcSight ESM Express, any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1, allows for unintended information when a specific URL is sent to the system.
17 CVE-2017-13985 22 Dir. Trav. 2017-09-29 2017-10-05
4.0
None Remote Low Single system Partial None None
An authentication vulnerability in HPE BSM Platform Application Performance Management System Health product versions 9.26, 9.30 and 9.40, allows remote users to traverse directory leading to disclosure of information.
18 CVE-2017-13984 287 Dir. Trav. 2017-09-29 2017-10-05
5.5
None Remote Low Single system None Partial Partial
An authentication vulnerability in HPE BSM Platform Application Performance Management System Health product versions 9.26, 9.30 and 9.40, allows remote users to delete arbitrary files via servlet directory traversal.
19 CVE-2017-13983 287 Bypass 2017-09-29 2017-10-05
10.0
None Remote Low Not required Complete Complete Complete
An authentication vulnerability in HPE BSM Platform Application Performance Management System Health product versions 9.26, 9.30 and 9.40, allows remote users to bypass authentication.
20 CVE-2017-13982 434 Dir. Trav. 2017-09-29 2017-10-10
9.0
None Remote Low Single system Complete Complete Complete
A directory traversal vulnerability in HPE BSM Platform Application Performance Management System Health product versions 9.26, 9.30 and 9.40, allows users to upload unrestricted files.
21 CVE-2017-8994 20 Exec Code 2017-10-10 2017-11-08
7.5
None Remote Low Not required Partial Partial Partial
A input validation vulnerability in HPE Operations Orchestration product all versions prior to 10.80, allows for the execution of code remotely.
22 CVE-2017-5791 287 Bypass 2017-10-11 2017-11-03
10.0
None Remote Low Not required Complete Complete Complete
The doFilter method in UrlAccessController in HPE Intelligent Management Center (iMC) PLAT 7.2 E0403P06 allows remote bypass of authentication via unspecified strings in a URI.
23 CVE-2017-5789 284 Exec Code Overflow 2017-10-11 2017-11-03
7.5
None Remote Low Not required Partial Partial Partial
HPE LoadRunner before 12.53 Patch 4 and HPE Performance Center before 12.53 Patch 4 allow remote attackers to execute arbitrary code via unspecified vectors. At least in LoadRunner, this is a libxdrutil.dll mxdr_string heap-based buffer overflow.
24 CVE-2017-3733 20 2017-05-04 2017-10-19
5.0
None Remote Low Not required None None Partial
During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected.
25 CVE-2016-8106 20 DoS 2017-01-09 2017-07-26
4.3
None Remote Medium Not required None None Partial
A Denial of Service in Intel Ethernet Controller's X710/XL710 with Non-Volatile Memory Images before version 5.05 allows a remote attacker to stop the controller from processing network traffic working under certain network use conditions.
26 CVE-2016-6306 125 DoS 2016-09-26 2017-11-20
4.3
None Remote Medium Not required None None Partial
The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.
27 CVE-2016-5388 284 2016-07-18 2017-08-24
5.1
None Remote High Not required Partial Partial Partial
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
28 CVE-2016-5387 284 2016-07-18 2017-11-13
5.1
None Remote High Not required Partial Partial Partial
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.
29 CVE-2016-5385 284 2016-07-18 2017-11-03
5.1
None Remote High Not required Partial Partial Partial
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
30 CVE-2016-4543 119 DoS Overflow 2016-05-21 2017-06-30
7.5
None Remote Low Not required Partial Partial Partial
The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.
31 CVE-2016-4448 2016-06-09 2017-08-31
10.0
None Remote Low Not required Complete Complete Complete
Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors.
32 CVE-2016-4447 119 DoS Overflow 2016-06-09 2017-08-31
5.0
None Remote Low Not required None None Partial
The xmlParseElementDecl function in parser.c in libxml2 before 2.9.4 allows context-dependent attackers to cause a denial of service (heap-based buffer underread and application crash) via a crafted file, involving xmlParseName.
33 CVE-2016-4396 119 Overflow 2016-10-28 2017-02-16
7.8
None Remote Low Not required None Complete None
HPE System Management Homepage before v7.6 allows remote attackers to have an unspecified impact via unknown vectors, related to a "Buffer Overflow" issue.
34 CVE-2016-4395 119 Overflow 2016-10-28 2017-02-16
7.8
None Remote Low Not required None Complete None
HPE System Management Homepage before v7.6 allows remote attackers to have an unspecified impact via unknown vectors, related to a "Buffer Overflow" issue.
35 CVE-2016-4394 254 +Info 2016-10-28 2017-02-16
5.8
None Remote Medium Not required None Partial Partial
HPE System Management Homepage before v7.6 allows remote attackers to obtain sensitive information via unspecified vectors, related to an "HSTS" issue.
36 CVE-2016-4393 79 XSS +Info 2016-10-28 2017-02-16
3.5
None Remote Medium Single system None Partial None
HPE System Management Homepage before v7.6 allows "remote authenticated" attackers to obtain sensitive information via unspecified vectors, related to an "XSS" issue.
37 CVE-2016-4390 Exec Code 2016-10-05 2017-07-29
6.8
None Remote Medium Not required Partial Partial Partial
The Filter SDK in HPE KeyView 10.18 through 10.24 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4387, CVE-2016-4388, and CVE-2016-4389.
38 CVE-2016-4389 Exec Code 2016-10-05 2017-07-29
6.8
None Remote Medium Not required Partial Partial Partial
The Filter SDK in HPE KeyView 10.18 through 10.24 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4387, CVE-2016-4388, and CVE-2016-4390.
39 CVE-2016-4388 Exec Code 2016-10-05 2017-07-29
6.8
None Remote Medium Not required Partial Partial Partial
The Filter SDK in HPE KeyView 10.18 through 10.24 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4387, CVE-2016-4389, and CVE-2016-4390.
40 CVE-2016-4387 Exec Code 2016-10-05 2017-07-29
6.8
None Remote Medium Not required Partial Partial Partial
The Filter SDK in HPE KeyView 10.18 through 10.24 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4388, CVE-2016-4389, and CVE-2016-4390.
41 CVE-2016-4386 2016-09-29 2017-07-29
6.9
None Local Medium Not required Complete Complete Complete
HPE Network Automation Software 10.10 allows local users to write to arbitrary files via unspecified vectors.
42 CVE-2016-4385 502 Exec Code 2016-09-29 2017-11-02
7.5
None Remote Low Not required Partial Partial Partial
The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) and Commons BeanUtils libraries.
43 CVE-2016-4384 DoS 2016-09-20 2017-07-29
9.0
None Remote Low Not required Partial Partial Complete
HPE Performance Center before 12.50 and LoadRunner before 12.50 allow remote attackers to cause a denial of service via unspecified vectors.
44 CVE-2016-4383 284 2017-06-27 2017-07-06
8.5
None Remote Medium Single system Complete Complete Complete
The glance-manage db in all versions of HPE Helion Openstack Glance allows deleted image ids to be reassigned, which allows remote authenticated users to cause other users to boot into a modified image without notification of the change.
45 CVE-2016-4382 264 Bypass 2016-09-20 2017-08-12
6.0
None Remote Medium Single system Partial Partial Partial
HPE Performance Center 11.52, 12.00, 12.01, 12.20, and 12.50 allows remote attackers to bypass intended access restrictions via unspecified vectors, related to a "remote user validation failure" issue.
46 CVE-2016-4381 264 Bypass 2016-09-08 2016-11-28
4.4
None Local Medium Not required Partial Partial Partial
HPE XP7 Command View Advanced Edition (CVAE) Suite 6.x through 8.x before 8.4.1-02, when Replication Manager (RepMgr) and Device Manager (DevMgr) are enabled, allows local users to bypass intended access restrictions via unspecified vectors.
47 CVE-2016-4380 79 XSS 2016-09-08 2016-11-28
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the AdminUI in HPE Operations Manager 9.21.x before 9.21.130 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
48 CVE-2016-4379 310 +Info 2016-09-08 2016-11-28
4.3
None Remote Medium Not required Partial None None
The TLS implementation in HPE Integrated Lights-Out 3 (aka iLO3) firmware before 1.88 does not properly use a MAC protection mechanism in conjunction with CBC padding, which allows remote attackers to obtain sensitive information via a padding-oracle attack, aka a Vaudenay attack.
49 CVE-2016-4378 200 +Info 2016-08-26 2016-11-28
5.0
None Remote Low Not required Partial None None
The (1) Device Manager, (2) Tiered Storage Manager, (3) Replication Manager, (4) Replication Monitor, and (5) Hitachi Automation Director (HAD) components in HPE XP P9000 Command View Advanced Edition Software before 8.4.1-00 and XP7 Command View Advanced Edition Suite before 8.4.1-00 allow remote attackers to obtain sensitive information via unspecified vectors.
50 CVE-2016-4377 Exec Code 2016-08-22 2016-11-28
7.6
None Remote High Not required Complete Complete Complete
HPE Smart Update in Storage Sizing Tool before 13.0, Converged Infrastructure Solution Sizer Suite (CISSS) before 2.13.1, Power Advisor before 7.8.2, Insight Management Sizer before 16.12.1, Synergy Planning Tool before 3.3, SAP Sizing Tool before 16.12.1, Sizing Tool for SAP Business Suite powered by HANA before 16.11.1, Sizer for ConvergedSystems Virtualization before 16.7.1, Sizer for Microsoft Exchange Server before 16.12.1, Sizer for Microsoft Lync Server 2013 before 16.12.1, Sizer for Microsoft SharePoint 2013 before 16.13.1, Sizer for Microsoft SharePoint 2010 before 16.11.1, and Sizer for Microsoft Skype for Business Server 2015 before 16.5.1 allows remote attackers to execute arbitrary code via unspecified vectors.
Total number of vulnerabilities : 1435   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.