ArubaOS WebMgmt XSS: Authenticated Remote Stored Attack
CVE-2023-22778 Published on March 1, 2023
Authenticated Stored Cross-Site Scripting
A vulnerability in the ArubaOS web management interface could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.
Vulnerability Analysis
CVE-2023-22778 is exploitable with network access, requires user interaction and user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2023-22778 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2023-22778
stack.watch emails you whenever new vulnerabilities are published in Aruba Networks Arubaos or Aruba Networks Sd Wan. Just hit a watch button to start following.
Affected Versions
Hewlett Packard Enterprise (HPE) Aruba Mobility Conductor (formerly Mobility Master); Aruba Mobility Controllers; WLAN Gateways and SD-WAN Gateways managed by Aruba Central:- Version ArubaOS 8.6.x.x: 8.6.0.19 and below is affected.
- Version ArubaOS 8.10.x.x: 8.10.0.4 and below is affected.
- Version ArubaOS 10.3.x.x: 10.3.1.0 and below is affected.
- Version SD-WAN 8.7.0.0-2.3.0.x: 8.7.0.0-2.3.0.8 and below is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.