Aerohive Hive Manager Multiple Security Vulnerabilities
BID:69450
Info
Aerohive Hive Manager Multiple Security Vulnerabilities
| Bugtraq ID: | 69450 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 28 2014 12:00AM |
| Updated: | Aug 28 2014 12:00AM |
| Credit: | Denis Andzakovic, Scott Bell, Nick Freeman, Thomas Hibbert, Carl Purvis, and Pedro Worcel |
| Vulnerable: | |
| Not Vulnerable: | |
Discussion
Aerohive Hive Manager Multiple Security Vulnerabilities
Aerohive Hive Manager is prone to the following security vulnerabilities:
1. A directory-traversal vulnerability
2. Multiple arbitrary file-upload vulnerabilities
3. A remote code-execution vulnerability
4. Multiple information-disclosure vulnerabilities
5. Multiple cross-site scripting vulnerabilities
6. Multiple security-bypass vulnerabilities
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, bypass certain security restrictions, obtain potentially sensitive information, upload arbitrary files, and execute arbitrary code in the context of the device.
Aerohive Hive Manager is prone to the following security vulnerabilities:
1. A directory-traversal vulnerability
2. Multiple arbitrary file-upload vulnerabilities
3. A remote code-execution vulnerability
4. Multiple information-disclosure vulnerabilities
5. Multiple cross-site scripting vulnerabilities
6. Multiple security-bypass vulnerabilities
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, bypass certain security restrictions, obtain potentially sensitive information, upload arbitrary files, and execute arbitrary code in the context of the device.
Exploit / POC
Aerohive Hive Manager Multiple Security Vulnerabilities
An attacker can use browser or readily available tools to exploit these issues. To exploit cross-site scripting issue, the attacker must entice an unsuspecting victim to follow a malicious URI.
An attacker can use browser or readily available tools to exploit these issues. To exploit cross-site scripting issue, the attacker must entice an unsuspecting victim to follow a malicious URI.
Solution / Fix
Aerohive Hive Manager Multiple Security Vulnerabilities
Solution:
Reportedly, the issue is fixed; however, Symantec has not confirmed this. Please contact the vendor for more information.
Solution:
Reportedly, the issue is fixed; however, Symantec has not confirmed this. Please contact the vendor for more information.
References
Aerohive Hive Manager Multiple Security Vulnerabilities
References:
References: