CVE-2022-38754 - Micro Focus Operations Bridge Manager and OpsBridge Containerized - Cross Site Scripting (XSS)

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Micro Focus Operations Bridge Manager (OBM) and Operations Bridge - Containerized prior to version 2022.11. A malicious authenticated OBM user can inject arbitrary JavaScript into the application, which is then executed in the browser context of another OBM user. The vulnerability is only exploitable when the Operations Bridge Manager capability is deployed. Versions prior to 2022.11 of both OBM and Operations Bridge - Containerized are affected [1].

Exploitation

An attacker must be an authenticated OBM user with the ability to inject content (e.g., via input fields or other data entry points) that is later rendered to other users. No additional privileges beyond standard authenticated user access are required. The attacker crafts a malicious JavaScript payload and submits it through the vulnerable interface. When another authenticated OBM user views the affected page, the script executes in their browser session [1].

Impact

A successful exploit enables the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive information displayed in the OBM console. The attack impacts confidentiality and integrity within the web application scope [1].

Mitigation

Micro Focus has released version 2022.11, which addresses this vulnerability. Users should upgrade to OBM 2022.11 or later for either the standalone OBM product or Operations Bridge - Containerized. No workarounds are documented; the fix is included in the 2022.11 release [1].