MFSBGN03806 rev.1 - HP Network Automation Software, Network Operations Management (NOM) Suite, Multiple Vulnerabilities

Vulnerability

Persistent cross-site scripting (XSS) and non-persistent HTML injection vulnerabilities exist in HP Network Operations Management Ultimate (versions 2017.07, 2017.11, 2018.02) and Network Automation (versions 10.00, 10.10, 10.11, 10.20, 10.30, 10.40, 10.50). The vulnerabilities reside in the web interface of these products, allowing an attacker to inject malicious scripts or HTML that are either stored and later executed (persistent XSS) or reflected immediately (non-persistent HTML injection) [1].

Exploitation

An attacker with network access to the affected product's web interface can exploit these vulnerabilities without requiring authentication. For persistent XSS, the attacker submits crafted input that is stored by the application and subsequently rendered to other users. For non-persistent HTML injection, the attacker crafts a malicious link or request that reflects injected HTML in the response. No user interaction is required for the stored variant, while the reflected variant may require the victim to click a crafted link [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser (persistent XSS), potentially leading to session hijacking, defacement, or theft of sensitive data. Non-persistent HTML injection enables the attacker to inject arbitrary HTML content, which can be used to spoof page content or trick users into performing actions. The attacker gains the ability to impersonate the victim or perform actions on behalf of an authenticated user [1].

Mitigation

Micro Focus has released a security bulletin (KM03158014) addressing these vulnerabilities. Users should upgrade to the latest patched versions as specified in the bulletin. No workarounds are documented; applying the vendor-supplied patch is the recommended mitigation [1].