Vulnerabilities > CVE-2012-3260 - Unspecified vulnerability in HP Sitescope 11.10/11.11/11.12

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
hp
critical
metasploit

Summary

Unspecified vulnerability in a SOAP feature in HP SiteScope 11.10 through 11.12 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1462.

Vulnerable Configurations

Part Description Count
Application
Hp
3

Metasploit

descriptionThis module exploits a code execution flaw in HP SiteScope. It exploits two vulnerabilities in order to get its objective. An authentication bypass in the create operation, available through the APIPreferenceImpl AXIS service, to create a new account with empty credentials and, subsequently, uses the new account to abuse the UploadManagerServlet and upload an arbitrary payload embedded in a JSP. The module has been tested successfully on HP SiteScope 11.20 over Windows 2003 SP2 and Linux CentOS 6.3.
idMSF:EXPLOIT/MULTI/HTTP/HP_SITESCOPE_UPLOADFILESHANDLER
last seen2020-06-07
modified2019-08-02
published2012-09-06
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb
titleHP SiteScope Remote Code Execution