HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Top Five Web Application Vulnerabilities 10/27/09 - 11/8/09

1) HP Power Manager Management Web Server Login Remote Code Execution Vulnerability

HP Power Manager is susceptible to a remote code execution vulnerability via the login form of the web based management web server due to improper bounds-checking of user-supplied data. Exploitation of this vulnerability can give an attacker the means to enact SYSTEM level commands and possibly lead to a complete compromise of the affected system. Even failed attempts will likely cause a denial-of-service condition. Updates which resolve this issue have been released. Contact the vendor for additional information.


2) Oracle WebLogic Server Administration Console HTML Injection Vulnerability

Oracle WebLogic Server is susceptible to an HTML Injection vulnerability via the Web Administration Console. HTML Injection is used to add content into a web server’s response, which can then be used to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. Updates which address this issue are available. Contact the vendor for more details.


3) Xerox Fiery WebTools 'summary.php' SQL Injection Vulnerability

Xerox Fiery WebTools is susceptible to a SQL Injection vulnerability. SQL Injection can give an attacker full access to a backend database, and in certain circumstances can be utilized to take complete control of a system. A fix has not yet been released. Contact the vendor for more information.


4) IBM Lotus Connections Mobile Activities Pages Cross-Site Scripting Vulnerability

IBM Lotus Connections is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage this to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which resolve this issue have been released. Contact the vendor for further details.


5) Roundcube Webmail Multiple Cross-Site Request Forgery Vulnerabilities

Roundcube Webmail is susceptible to multiple instances of Cross-Site Request Forgery. Cross-Site Request Forgery leverages the trust a web application places in a user to make authenticated requests that appear completely legitimate, and can be used to abuse any type of functionality the web application contains. Updates which resolve these issues have been released. Contact the vendor for additional information.


Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.