Vulnerabilities > CVE-2012-3260 - Unspecified vulnerability in HP Sitescope 11.10/11.11/11.12
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Unspecified vulnerability in a SOAP feature in HP SiteScope 11.10 through 11.12 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1462.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 3 |
Metasploit
description | This module exploits a code execution flaw in HP SiteScope. It exploits two vulnerabilities in order to get its objective. An authentication bypass in the create operation, available through the APIPreferenceImpl AXIS service, to create a new account with empty credentials and, subsequently, uses the new account to abuse the UploadManagerServlet and upload an arbitrary payload embedded in a JSP. The module has been tested successfully on HP SiteScope 11.20 over Windows 2003 SP2 and Linux CentOS 6.3. |
id | MSF:EXPLOIT/MULTI/HTTP/HP_SITESCOPE_UPLOADFILESHANDLER |
last seen | 2020-06-07 |
modified | 2019-08-02 |
published | 2012-09-06 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb |
title | HP SiteScope Remote Code Execution |