CVE-2009-0204

Vulnerability

HP Select Access versions 6.1 and 6.2 running on HP-UX, Linux, Solaris, and Windows contain a cross-site scripting (XSS) vulnerability [1]. The issue allows remote attackers to inject arbitrary web script or HTML. The vulnerability exists in unspecified vectors within the application, and no authentication or special privileges are required for exploitation [1].

Exploitation

The vulnerability is remotely exploitable without authentication [1]. An attacker can deliver a crafted request to the affected HP Select Access server, which then improperly reflects or stores the attacker-supplied script in a response that is executed in the victim's browser. Technical details of the attack vector are not disclosed in the available references [1].

Impact

Successful exploitation results in arbitrary script or HTML execution in the context of the vulnerable application [1]. This can lead to session hijacking, credential theft, defacement, or forced redirection to malicious sites. The CVSSv2 base score is 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N), indicating partial impact to confidentiality and integrity, with no impact to availability [1].

Mitigation

HP released hotfixes to resolve the vulnerability [1]. The fix requires first installing one of the following patches: Select Access v6.1 Patch 4, or Select Access v6.2 Patch 2 or Patch 3 [1]. Then install the corresponding hotfix: HPSACC 6.1 P4 Hotfix1 (HPSACC_00004) for v6.1 Patch 4, or the appropriate hotfix for v6.2 [1]. Patches and hotfixes are available from HP support portal [1]. No workaround is provided if the hotfixes are not installed [1].