HISTORY
Version:0 (rev.0) - 01 August 2005 Initial release
Version:1 (rev.1) - 09 August 2005 Update Affected Versions
Version:2 (rev.2) - 21 September 2005 Resolution for second XSS available
Version:3 (rev.3) - 26 April 2007 Reformatted
Version:4 (rev.4) - 30 August 2010 New URL for updates, added CVSS scores
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Upgrade to v11.1
apply the SS1110110412 hotfix available by contacting your HP Support channel.
HISTORY
Version:1 (rev.1) - 21 April 2011 Initial Release
Version:2 (rev.2) - 26 April 2011 Added platforms supported SiteScope operating platforms
Version:3 (rev.3) - 03 May 2011 Added cumulative fix list
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Vulnerability ID: HTB22976
Reference: http://www.htbridge.ch/advisory/multiple_xss_cross_site_scripting_vulnerabilities_in_pommo.html
Product: poMMo
Vendor: Brice Burgess ( http://pommo.org/ )
Vulnerable Version: Aardvark PR16.1
Vendor Notification: 26 April 2011
Vulnerability Type: XSS (Cross Site Scripting)
Risk level: Medium
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )
Vulnerability Details:
http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c03277372/c03277372.pdf
HISTORY
Version:1 (rev.1) - 10 April 2012 Initial Release
Version:2 (rev.2) - 26 April 2012 Updated case details and solution choices
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Vulnerability ID: HTB22977
Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_pommo.html
Product: poMMo
Vendor: Brice Burgess ( http://pommo.org/ )
Vulnerable Version: Aardvark PR16.1
Vendor Notification: 26 April 2011
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Risk level: Low
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )
Vulnerability Details:
Upgrade to v11.1
apply the SS1110110412 hotfix available by contacting your HP Support channel.
HISTORY
Version:1 (rev.1) - 21 April 2011 Initial Release
Version:2 (rev.2) - 26 April 2011 Added platforms supported SiteScope operating platforms
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Version:1 (rev.1) - 30 November 2011 Initial release
Version:2 (rev.2) - 23 December 2011 Code signing firmware available
Version:3 (rev.3) - 9 January 2012 Combined tables
Version:4 (rev.4) - 17 February 2012 Added printers, updated firmware versions
Version:5 (rev.5) - 19 March 2012 Added printers, updated firmware versions
Version:6 (rev.6) - 26 April 2012 Added printers, reformatted table
References: CVE-2011-4161
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Please refer to the RESOLUTION
None
HISTORY
Version:1 (rev.1) - 10 February 2010 Initial release
Version:2 (rev.2) - 26 April 2010 Added list of vulnerable components
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
On 26 April 2010 16:16, MustLive <mustlive@websecurity.com.ua> wrote:
>
> It's not a problem for serious hackers. Even those commands which allowed on
> average server are enough for many things ;-).
So what? Also a SQL Injection vulnerability may be used to write a
file on the system to execute commands, but it isn't a remote commands
execution vulnerability. The your is not a command execution
vulnerability because there aren't injection on a command execution's
function, such as system(). If you can upload a file not allowed by
Vulnerability ID: HTB22975
Reference: http://www.htbridge.ch/advisory/sql_injection_in_calendarix.html
Product: Calendarix
Vendor: http://www.calendarix.com ( http://www.calendarix.com )
Vulnerable Version: 0.8.20080808
Vendor Notification: 26 April 2011
Vulnerability Type: SQL Injection
Risk level: High
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )
Vulnerability Details:
Vulnerability ID: HTB22974
Reference: http://www.htbridge.ch/advisory/multiple_xss_in_calendarix.html
Product: Calendarix
Vendor: http://www.calendarix.com ( http://www.calendarix.com )
Vulnerable Version: 0.8.20080808
Vendor Notification: 26 April 2011
Vulnerability Type: XSS (Cross Site Scripting)
Risk level: Medium
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )
Vulnerability Details:
