CVE-2024-51773

A vulnerability in the HPE Aruba Networking ClearPass Policy Manager web-based management interface could allow an authenticated remote Attacker to conduct a stored cross-site scripting (XSS) attack. Successful exploitation could enable a threat actor to perform any actions the user is authorized to do, including accessing the user's data and altering information within the user's permissions. This could lead to data modification, deletion, or theft, including unauthorized access to files, file deletion, or the theft of session cookies, which an attacker could use to hijack a user's session.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04761en_us&docLocale=en_US	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:arubanetworks:clearpass_policy_manager::::::::
	cpe:2.3:a:arubanetworks:clearpass_policy_manager::::::::

History

07 Apr 2025, 15:02

Type	Values Removed	Values Added
References	~~() https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04761en_us&docLocale=en_US -~~	() https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04761en_us&docLocale=en_US - Vendor Advisory
CPE		cpe:2.3:a:arubanetworks:clearpass_policy_manager::::::::
First Time		Arubanetworks Arubanetworks clearpass Policy Manager

Information

Published : 2024-12-03 21:15

Updated : 2025-04-07 15:02

NVD link : CVE-2024-51773

Mitre link : CVE-2024-51773

CVE.ORG link : CVE-2024-51773

JSON object : View

Products Affected

arubanetworks

clearpass_policy_manager

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-51773", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-alert@hpe.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2024-12-03T21:15:07.280", "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04761en_us&docLocale=en_US", "tags": ["Vendor Advisory"], "source": "security-alert@hpe.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the HPE Aruba Networking ClearPass Policy Manager web-based management interface could allow an authenticated remote Attacker to conduct a stored cross-site scripting (XSS) attack. Successful exploitation could enable a threat actor to perform any actions the user is authorized to do, including accessing the user's data and altering information within the user's permissions. This could lead to data modification, deletion, or theft, including unauthorized access to files, file deletion, or the theft of session cookies, which an attacker could use to hijack a user's session."}, {"lang": "es", "value": "Una vulnerabilidad en la interfaz de administraci\u00f3n basada en web de ClearPass Policy Manager de HPE Aruba Networking podr\u00eda permitir que un atacante remoto autenticado realice un ataque de cross-site scripting (XSS) almacenado. Una explotaci\u00f3n exitosa podr\u00eda permitir que un actor de amenazas realice cualquier acci\u00f3n que el usuario est\u00e9 autorizado a realizar, incluido el acceso a los datos del usuario y la alteraci\u00f3n de la informaci\u00f3n dentro de los permisos del usuario. Esto podr\u00eda provocar la modificaci\u00f3n, eliminaci\u00f3n o robo de datos, incluido el acceso no autorizado a archivos, la eliminaci\u00f3n de archivos o el robo de cookies de sesi\u00f3n, que un atacante podr\u00eda usar para secuestrar la sesi\u00f3n de un usuario."}], "lastModified": "2025-04-07T15:02:49.517", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:arubanetworks:clearpass_policy_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2788E2CB-BCF1-4FAB-BB44-9C82649C6C00", "versionEndExcluding": "6.11.10", "versionStartIncluding": "6.11.0"}, {"criteria": "cpe:2.3:a:arubanetworks:clearpass_policy_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4E297B74-2DC0-4EDA-B114-37A0257059FF", "versionEndExcluding": "6.12.3", "versionStartIncluding": "6.12.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-alert@hpe.com"}