CVE-2011-0898

Vulnerability

HP Network Node Manager i (NNMi) version 9.00 running on HP-UX, Linux, Solaris, and Windows contains a cross-site scripting (XSS) vulnerability [1][2]. The bug allows remote attackers to inject arbitrary web script or HTML via unspecified vectors [1]. The vulnerability is present in the NNMi web interface, but the specific affected component or input parameter is not disclosed in the available references.

Exploitation

An attacker can exploit this vulnerability remotely without authentication, as indicated by the CVSS vector (AV:N/AC:M/Au:N/C:N/I:P/A:N) which shows no authentication is required [1][2]. The attack complexity is medium, meaning some conditions (such as user interaction or specific configuration) may be needed, but no authenticated session is necessary. The exact exploitation steps are not detailed in the available references; the vector remains unspecified.

Impact

Successful exploitation allows the attacker to inject arbitrary web script or HTML into the NNMi web interface, leading to cross-site scripting [1][2]. This can result in information disclosure, session hijacking, or other malicious actions performed in the context of the victim's browser session. The impact on confidentiality and availability is none, but integrity is partially affected, as reflected by the CVSS base score of 4.3 [1][2].

Mitigation

HP released patches to resolve the vulnerability. The patches are available from the HP OpenView support site [1][2]. Affected versions and required patches are: HP-UX (IA) - PHSS_41540 or subsequent; Linux RedHat4AS - NNM900L_00003 or subsequent; Solaris - NNM900S_00003 or subsequent; Windows - NNM900W_00003 or subsequent [1][2]. No workarounds are documented in the available references. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog as of this writing.