Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   HPE Intelligent Management Center Vendors:   HPE
HPE Intelligent Management Center PLAT Multiple JSF Expression Language Injection Flaws Let Remote Authenticated Users Execute Arbitrary Code on the Target System
SecurityTracker Alert ID:  1039152
SecurityTracker URL:
CVE Reference:   CVE-2017-12487, CVE-2017-12488, CVE-2017-12489, CVE-2017-12490, CVE-2017-12491, CVE-2017-12492, CVE-2017-12493, CVE-2017-12494, CVE-2017-12495, CVE-2017-12496, CVE-2017-12497, CVE-2017-12498, CVE-2017-12499, CVE-2017-12500, CVE-2017-12501, CVE-2017-12502, CVE-2017-12503, CVE-2017-12504, CVE-2017-12505, CVE-2017-12506, CVE-2017-12507, CVE-2017-12508, CVE-2017-12509, CVE-2017-12510, CVE-2017-12511, CVE-2017-12512, CVE-2017-12513, CVE-2017-12514, CVE-2017-12515, CVE-2017-12516, CVE-2017-12517, CVE-2017-12518, CVE-2017-12519, CVE-2017-12520, CVE-2017-12521, CVE-2017-12522, CVE-2017-12523, CVE-2017-12524, CVE-2017-12525, CVE-2017-12526, CVE-2017-12527, CVE-2017-12528, CVE-2017-12529, CVE-2017-12530, CVE-2017-12531, CVE-2017-12532, CVE-2017-12533, CVE-2017-12534, CVE-2017-12535, CVE-2017-12536, CVE-2017-12537, CVE-2017-12538, CVE-2017-12539, CVE-2017-12540, CVE-2017-12541   (Links to External Site)
Date:  Aug 15 2017
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): iMC PLAT 7.3 (E0504)
Description:   Multiple vulnerabilities were reported in HPE Intelligent Management Center PLAT. A remote authenticated user can execute arbitrary code on the target system.

A remote authenticated user can send specially crafted beanName parameter values to exploit an input validation flaw and inject Java Server Faces (JSF) expressions and execute arbitrary code on the target system. The code will run with System privileges.

The original advisories are available at:

Steven Seeley (mr_me) (via Trend Micro's Zero Day Initiative) reported these vulnerabilities.

Impact:   A remote authenticated user can execute arbitrary code with System level privileges on the target system.
Solution:   HPE has issued a fix (iMC PLAT 7.3 (E0506)).

The HPE advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Red Hat Enterprise), Windows (Any)

Message History:   None.

 Source Message Contents



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC