CVE-2011-1537

Vulnerability

A cross-site scripting (XSS) vulnerability exists in HP Proliant Support Pack (PSP) versions 8.6 and earlier [1][2]. The vulnerability is triggerable via unspecified vectors, meaning an attacker can inject arbitrary web script or HTML into the application's output [1]. The issue affects both Linux and Windows versions of PSP [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication, but requires user interaction (e.g., convincing a victim to click a crafted link) [1]. The attack vector is network-based and complexity is medium, as the victim must be tricked into performing an action [1]. The exact steps are not detailed in the available references, but the XSS occurs when the PSP processes malicious input from the attacker.

Impact

Successful exploitation results in arbitrary script execution in the context of the victim's browser session [1]. This could lead to disclosure of session cookies, defacement, or phishing attacks, but the CVSS score (4.3) indicates limited impact on confidentiality and availability, with partial impact on integrity [1].

Mitigation

HP has released PSP version 8.7 to fix this vulnerability [1][2]. Users should upgrade to PSP 8.7 or later, available from the HP website [1]. No workarounds are provided in the references, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.