HP Power Manager Unspecified Cross-Site Request Forgery

medium Nessus Plugin ID 52015

Synopsis

The power management application installed on the remote host has a cross-site request forgery vulnerability.

Description

HP Power Manager was detected on the remote host. All versions of this software reportedly have an unspecified cross-site request forgery vulnerability. The application does not attempt to validate user requests before performing them. It makes no distinction between user actions that are performed deliberately and unknowingly.

A remote attacker could exploit this by tricking a user into making a malicious request, resulting in administrative access.

Solution

See the vendor advisory above for suggested workarounds.

See Also

http://www.nessus.org/u?d400d597

Plugin Details

Severity: Medium

ID: 52015

File Name: hp_power_mgr_csrf.nasl

Version: 1.10

Type: remote

Family: CGI abuses

Published: 2/17/2011

Updated: 6/5/2024

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:hp:power_manager

Required KB Items: www/hp_power_mgr, Settings/ParanoidReport

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/7/2011

Vulnerability Publication Date: 2/7/2011

Reference Information

CVE: CVE-2011-0277

BID: 46258

Secunia: 43058