CVE-2023-39266 – Unauthenticated Stored Cross-Site Scripting in ArubaOS-Switch
https://notcve.org/view.php?id=CVE-2023-39266
A vulnerability in the ArubaOS-Switch web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface provided certain configuration options are present. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. Una vulnerabilidad en la interfaz de administración web de ArubaOS-Switch podría permitir que un atacante remoto no autenticado lleve a cabo un ataque de cross-site scripting (XSS) almacenado contra un usuario de la interfaz, siempre que ciertas opciones de configuración estén presentes. Un exploit exitoso podría permitir a un atacante ejecutar código de script arbitrario en el navegador de la víctima en el contexto de la interfaz afectada. • https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-013.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-3718 – Authenticated Command Injection Vulnerability in AOS-CX Command Line Interface
https://notcve.org/view.php?id=CVE-2023-3718
An authenticated command injection vulnerability exists in the AOS-CX command line interface. Successful exploitation of this vulnerability results in the ability to execute arbitrary commands on the underlying operating system as a privileged user on the affected switch. This allows an attacker to fully compromise the underlying operating system on the device running AOS-CX. Existe una vulnerabilidad de inyección de comandos autenticados en la interfaz de línea de comandos de AOS-CX. La explotación exitosa de esta vulnerabilidad resulta en la capacidad de ejecutar comandos arbitrarios en el sistema operativo subyacente como un usuario privilegiado en el conmutador afectado. • https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-010.txt • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2023-30906
https://notcve.org/view.php?id=CVE-2023-30906
The vulnerability could be locally exploited to allow escalation of privilege. • https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf04486en_us •
CVE-2023-30905
https://notcve.org/view.php?id=CVE-2023-30905
The MC990 X and UV300 RMC component has and inadequate default configuration that could be exploited to obtain enhanced privilege. • https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf04473en_us •
CVE-2023-30904
https://notcve.org/view.php?id=CVE-2023-30904
A security vulnerability in HPE Insight Remote Support may result in the local disclosure of privileged LDAP information. • https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04487en_us •