CVE-2017-14363

Vulnerability

A Cross-Site Scripting (XSS) vulnerability exists in Micro Focus Operations Manager i (formerly HP Operations Manager i) versions 10.60, 10.61, and 10.62 [1]. The vulnerability allows an attacker to inject malicious script into web pages served by the application, which can then be executed in the context of a user's browser session [1].

Exploitation

To exploit this vulnerability, an attacker requires network access to the affected system [1]. The CVSS v3 vector (AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L) indicates that the attack complexity is high, the attacker needs low-level privileges, and user interaction is required [1]. Specifically, the attacker must entice a privileged user (e.g., an administrator) to click a crafted link or visit a malicious page while authenticated to the Operations Manager i interface [1].

Impact

Successful exploitation leads to stored or reflected Cross-Site Scripting, allowing the attacker to execute arbitrary HTML and JavaScript in the browser of the targeted user [1]. This can result in session hijacking, manipulation of the web interface, or exfiltration of sensitive information displayed by the application [1]. The CVSS scope is unchanged (S:U), but the confidentiality impact is low, integrity impact is high, and availability impact is low [1].

Mitigation

Micro Focus released a security bulletin (MFSBGN03795 rev.1) on 2017-12-21 [1]. The recommended mitigation is to apply the vendor-supplied patch or upgrade to a fixed version as specified in the advisory [1]. No workarounds are mentioned in the reference. If an update cannot be applied immediately, restricting network access to the Operations Manager i web interface to trusted users and networks can reduce the risk of exploitation [1].