CVE-2023-39266

A vulnerability in the ArubaOS-Switch web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface provided certain configuration options are present. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.

CVSS v3 8.3 HIGH

8.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.6 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-013.txt	Vendor Advisory
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-013.txt	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:o:hpe:arubaos-switch::::::::
	cpe:2.3:o:hpe:arubaos-switch::::::::
	cpe:2.3:o:hpe:arubaos-switch::::::::
	cpe:2.3:o:hpe:arubaos-switch::::::::
	cpe:2.3:o:hpe:arubaos-switch::::::::

OR	cpe:2.3:h:arubanetworks:aruba_2530:-:::::::*
	cpe:2.3:h:arubanetworks:aruba_2530ya:-:::::::*
	cpe:2.3:h:arubanetworks:aruba_2530yb:-:::::::*
	cpe:2.3:h:arubanetworks:aruba_2540:-:::::::*
	cpe:2.3:h:arubanetworks:aruba_2920:-:::::::*
	cpe:2.3:h:arubanetworks:aruba_2930f:-:::::::*
	cpe:2.3:h:arubanetworks:aruba_2930m:-:::::::*
	cpe:2.3:h:arubanetworks:aruba_3810m:-:::::::*
	cpe:2.3:h:arubanetworks:aruba_5406r_zl2:-:::::::*
	cpe:2.3:h:arubanetworks:aruba_5412r_zl2:-:::::::*

History

21 Nov 2024, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-08-29 20:15

Updated : 2024-11-21 08:15

NVD link : CVE-2023-39266

Mitre link : CVE-2023-39266

CVE.ORG link : CVE-2023-39266

JSON object : View

Products Affected

arubanetworks

aruba_2930m
aruba_5406r_zl2
aruba_5412r_zl2
aruba_3810m
aruba_2920
aruba_2530ya
aruba_2930f
aruba_2530
aruba_2530yb
aruba_2540

hpe

arubaos-switch

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-39266", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-alert@hpe.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2023-08-29T20:15:09.637", "references": [{"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-013.txt", "tags": ["Vendor Advisory"], "source": "security-alert@hpe.com"}, {"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-013.txt", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the ArubaOS-Switch web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface provided certain configuration options are present. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.\n\n\n"}, {"lang": "es", "value": "Una vulnerabilidad en la interfaz de administraci\u00f3n web de ArubaOS-Switch podr\u00eda permitir que un atacante remoto no autenticado lleve a cabo un ataque de cross-site scripting (XSS) almacenado contra un usuario de la interfaz, siempre que ciertas opciones de configuraci\u00f3n est\u00e9n presentes. Un exploit exitoso podr\u00eda permitir a un atacante ejecutar c\u00f3digo de script arbitrario en el navegador de la v\u00edctima en el contexto de la interfaz afectada."}], "lastModified": "2024-11-21T08:15:01.040", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:hpe:arubaos-switch:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6EF6288C-3E1F-4E2F-BDE2-319E6774F1BD", "versionEndExcluding": "a.15.16.0026"}, {"criteria": "cpe:2.3:o:hpe:arubaos-switch:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D421C423-B11A-43F0-A0E9-9ABD0CC3E7A9", "versionEndExcluding": "16.04.0027", "versionStartIncluding": "16.01.0000"}, {"criteria": "cpe:2.3:o:hpe:arubaos-switch:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "90E95208-9E6A-4A27-91EF-EFF9EBB5CDF0", "versionEndExcluding": "16.08.0027", "versionStartIncluding": "16.05.0000"}, {"criteria": "cpe:2.3:o:hpe:arubaos-switch:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3A977A83-A7F4-4FE7-9AC9-5584801CC039", "versionEndExcluding": "16.10.0024", "versionStartIncluding": "16.10.0001"}, {"criteria": "cpe:2.3:o:hpe:arubaos-switch:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EF10EBA8-E257-4E81-8B5A-04E643FD27F4", "versionEndExcluding": "16.11.0013", "versionStartIncluding": "16.11.0001"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:arubanetworks:aruba_2530:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "CA0DC0DE-5F4A-4D2A-AFCA-E36A103D5A6E"}, {"criteria": "cpe:2.3:h:arubanetworks:aruba_2530ya:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B8251986-B9F2-4345-A4D7-EB3737F12AE0"}, {"criteria": "cpe:2.3:h:arubanetworks:aruba_2530yb:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "3D7A8F42-55C8-4A2B-8A34-1B1B8BE3BEDF"}, {"criteria": "cpe:2.3:h:arubanetworks:aruba_2540:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "FDEDD15E-289E-4B15-8620-547EA19CAEE7"}, {"criteria": "cpe:2.3:h:arubanetworks:aruba_2920:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B1782D4A-AD68-4BD2-8453-EE22BCF2DC99"}, {"criteria": "cpe:2.3:h:arubanetworks:aruba_2930f:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "97C4FCD2-BB70-4848-B08A-223B5C3467BB"}, {"criteria": "cpe:2.3:h:arubanetworks:aruba_2930m:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2561E158-FB61-4FFD-B680-DADF7BC2C6D1"}, {"criteria": "cpe:2.3:h:arubanetworks:aruba_3810m:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F3CE933B-68BA-45BA-81BD-95D873B858B1"}, {"criteria": "cpe:2.3:h:arubanetworks:aruba_5406r_zl2:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8E982204-9ADC-4242-86C2-A407D6EA7DB0"}, {"criteria": "cpe:2.3:h:arubanetworks:aruba_5412r_zl2:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8549CD94-50E2-4615-94C2-D76FADFBA3AC"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security-alert@hpe.com"}