CVE-2022-37892 - OpenCVE

A vulnerability in the Aruba InstantOS and ArubaOS 10 web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface of Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5.4.23 and below; Aruba InstantOS 8.6.x: 8.6.0.18 and below; Aruba InstantOS 8.7.x: 8.7.1.9 and below; Aruba InstantOS 8.10.x: 8.10.0.1 and below; ArubaOS 10.3.x: 10.3.1.0 and below; Aruba has released upgrades for Aruba InnstantOS that address this security vulnerability.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Arubanetworks	Arubaos Instant
Siemens	Scalance W1750d Firmware Scalance W1750d

Configuration 1 [-]

OR	cpe:2.3:o:arubanetworks:arubaos::::::::
	cpe:2.3:o:arubanetworks:instant::::::::
	cpe:2.3:o:arubanetworks:instant::::::::
	cpe:2.3:o:arubanetworks:instant::::::::
	cpe:2.3:o:arubanetworks:instant::::::::
	cpe:2.3:o:arubanetworks:instant::::::::

Configuration 2 [-]

AND

cpe:2.3:o:siemens:scalance_w1750d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:scalance_w1750d:-:*:*:*:*:*:*:*

References

Link	Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-506569.pdf	Third Party Advisory
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-014.txt	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hpe

Published: 2022-10-07T00:00:00

Updated: 2022-11-08T00:00:00

Reserved: 2022-08-08T00:00:00

Link: CVE-2022-37892

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-10-07T18:15:21.497

Modified: 2022-11-09T03:58:36.430

Link: CVE-2022-37892

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-37892", "assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0", "assignerShortName": "hpe", "dateUpdated": "2022-11-08T00:00:00", "dateReserved": "2022-08-08T00:00:00", "datePublished": "2022-10-07T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "eb103674-0d28-4225-80f8-39fb86215de0", "shortName": "hpe", "dateUpdated": "2022-11-08T00:00:00"}, "descriptions": [{"lang": "en", "value": "A vulnerability in the Aruba InstantOS and ArubaOS 10 web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim\u2019s browser in the context of the affected interface of Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5.4.23 and below; Aruba InstantOS 8.6.x: 8.6.0.18 and below; Aruba InstantOS 8.7.x: 8.7.1.9 and below; Aruba InstantOS 8.10.x: 8.10.0.1 and below; ArubaOS 10.3.x: 10.3.1.0 and below; Aruba has released upgrades for Aruba InnstantOS that address this security vulnerability."}], "affected": [{"vendor": "n/a", "product": "Aruba Access Points: 100 Series; 103 Series; 110 Series; 120 Series; 130 Series; 200 Series; 207 Series; 210 Series; 220 Series; 260 Series; 300 Series; 303 Series; 310 Series; 318 Series Hardened Access Points; 320 Series; 330 Series; 340 Series; 370 Series; 500 Series; 510 Series; 530 Series; 550 Series; 630 Series; 650 Series;", "versions": [{"version": "Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below", "status": "affected"}, {"version": "Aruba InstantOS 6.5.x: 6.5.4.23 and below", "status": "affected"}, {"version": "Aruba InstantOS 8.6.x: 8.6.0.18 and below", "status": "affected"}, {"version": "Aruba InstantOS 8.7.x: 8.7.1.9 and below", "status": "affected"}, {"version": "Aruba InstantOS 8.10.x: 8.10.0.1 and below", "status": "affected"}, {"version": "ArubaOS 10.3.x: 10.3.1.0 and below", "status": "affected"}]}], "references": [{"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-014.txt"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-506569.pdf"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Unauthenticated Stored Cross-Site Scripting"}]}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "matchCriteriaId": "F1B6376E-424F-4DBF-B00D-69C52E4B3E46", "versionEndExcluding": "10.3.1.1", "versionStartIncluding": "10.3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:arubanetworks:instant:*:*:*:*:*:*:*:*", "matchCriteriaId": "D27F5A7C-442F-45A6-A149-2037042A1629", "versionEndExcluding": "6.4.4.8-4.2.4.21", "versionStartIncluding": "6.4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:arubanetworks:instant:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A33DE52-E905-4EBD-BA56-1DC67B7DD9FD", "versionEndExcluding": "6.5.4.24", "versionStartIncluding": "6.5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:arubanetworks:instant:*:*:*:*:*:*:*:*", "matchCriteriaId": "081502CC-38D4-46F9-85D0-3D1F701D5EE4", "versionEndExcluding": "8.6.0.19", "versionStartIncluding": "8.6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:arubanetworks:instant:*:*:*:*:*:*:*:*", "matchCriteriaId": "BEA3846D-54C5-4B92-86B6-6AC482C2B357", "versionEndExcluding": "8.7.1.10", "versionStartIncluding": "8.7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:arubanetworks:instant:*:*:*:*:*:*:*:*", "matchCriteriaId": "B32D91E1-3034-4E05-8FBA-98EF4562F3FE", "versionEndExcluding": "8.10.0.2", "versionStartIncluding": "8.10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:scalance_w1750d_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "065280B2-6EC1-4721-B3D7-EDE44ED4F5BD", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:scalance_w1750d:-:*:*:*:*:*:*:*", "matchCriteriaId": "FBC30055-239F-4BB1-B2D1-E5E35F0D8911", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A vulnerability in the Aruba InstantOS and ArubaOS 10 web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim\u2019s browser in the context of the affected interface of Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5.4.23 and below; Aruba InstantOS 8.6.x: 8.6.0.18 and below; Aruba InstantOS 8.7.x: 8.7.1.9 and below; Aruba InstantOS 8.10.x: 8.10.0.1 and below; ArubaOS 10.3.x: 10.3.1.0 and below; Aruba has released upgrades for Aruba InnstantOS that address this security vulnerability."}, {"lang": "es", "value": "Una vulnerabilidad en la interfaz de administraci\u00f3n web de Aruba InstantOS y ArubaOS versi\u00f3n 10 ,podr\u00eda permitir a un atacante remoto no autenticado conducir un ataque de tipo cross-site scripting (XSS) almacenado contra un usuario de la interfaz. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir a un atacante ejecutar c\u00f3digo de script arbitrario en el navegador de una v\u00edctima en el contexto de la interfaz afectada de Aruba InstantOS versiones 6.4.x: 6.4.4.8-4.2.4.20 y anteriores; Aruba InstantOS 6.5.x: 6.5.4.23 y anteriores; Aruba InstantOS 8. 6.x: 8.6.0.18 y anteriores; Aruba InstantOS 8.7.x: 8.7.1.9 y anteriores; Aruba InstantOS 8.10.x: 8.10.0.1 y anteriores; ArubaOS 10.3.x: 10.3.1.0 y anteriores; Aruba ha publicado actualizaciones para Aruba InstantOS que abordan esta vulnerabilidad de seguridad"}], "id": "CVE-2022-37892", "lastModified": "2022-11-09T03:58:36.430", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-07T18:15:21.497", "references": [{"source": "security-alert@hpe.com", "tags": ["Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-506569.pdf"}, {"source": "security-alert@hpe.com", "tags": ["Vendor Advisory"], "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-014.txt"}], "sourceIdentifier": "security-alert@hpe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}