MFSBGN03808 rev.1 - Micro Focus UCMDB, Cross-Site Scripting
Description
Cross-Site Scripting (XSS) in Micro Focus Universal CMDB, CMS, and UCMDB Browser allows remote attackers to inject arbitrary web script.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-Site Scripting (XSS) in Micro Focus Universal CMDB, CMS, and UCMDB Browser allows remote attackers to inject arbitrary web script.
Vulnerability
A Cross-Site Scripting (XSS) vulnerability exists in Micro Focus Universal CMDB (versions 10.20, 10.21, 10.22, 10.30, 10.31, 10.32, 10.33, 11.0), CMS (versions 4.10, 4.11, 4.12, 4.13, 4.14, 4.15.1), and UCMDB Browser (versions 4.10, 4.11, 4.12, 4.13, 4.14, 4.15.1). The vulnerability can be triggered remotely via crafted input that is not properly sanitized [1].
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted request to the affected product. No authentication is required. The attacker can inject malicious script that executes in the context of the victim's browser [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser, leading to potential information disclosure, session hijacking, or other client-side attacks [1].
Mitigation
Micro Focus has released a security bulletin with fixes. Users should apply the patches provided by Micro Focus. The affected versions should be upgraded to the latest version that addresses the vulnerability. No specific workarounds are mentioned in the references [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6- Range: 4.10, 4.11, 4.12, 4.13, 4.14, 4.15.1
- Range: 10.20, 10.21, 10.22, 10.30, 10.31, 10.32, 10.33, 11.0
- Range: 4.10, 4.11, 4.12, 4.13, 4.14, 4.15.1
- Micro Focus/UCMDBv5Range: 10.20, 10.21, 10.22, 10.30, 10.31, 10.32, 10.33, 11.0
- Range: 4.10, 4.11, 4.12, 4.13, 4.14, 4.15.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- www.securitytracker.com/id/1040970mitrevdb-entryx_refsource_SECTRACK
- softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03164778mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.