8.8

CVE-2023-35971

A vulnerability in the ArubaOS web-based management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.

Data is provided by the National Vulnerability Database (NVD)
ArubanetworksArubaos Version >= 6.5.4.0 < 8.6.0.21
   ArubanetworksMc-va-10 Version-
   ArubanetworksMc-va-1k Version-
   ArubanetworksMc-va-250 Version-
   ArubanetworksMc-va-50 Version-
   ArubanetworksMcr-va-10k Version-
   ArubanetworksMcr-va-1k Version-
   ArubanetworksMcr-va-50 Version-
   ArubanetworksMcr-va-500 Version-
   ArubanetworksMcr-va-5k Version-
   ArubanetworksSd-wan Version-
   ArubanetworksMcr-hw-10k Version-
   ArubanetworksMcr-hw-1k Version-
   ArubanetworksMcr-hw-5k Version-
ArubanetworksArubaos Version >= 8.7.0.0 < 8.10.0.7
   ArubanetworksMc-va-10 Version-
   ArubanetworksMc-va-1k Version-
   ArubanetworksMc-va-250 Version-
   ArubanetworksMc-va-50 Version-
   ArubanetworksMcr-va-10k Version-
   ArubanetworksMcr-va-1k Version-
   ArubanetworksMcr-va-50 Version-
   ArubanetworksMcr-va-500 Version-
   ArubanetworksMcr-va-5k Version-
   ArubanetworksSd-wan Version-
   ArubanetworksMcr-hw-10k Version-
   ArubanetworksMcr-hw-1k Version-
   ArubanetworksMcr-hw-5k Version-
ArubanetworksArubaos Version >= 8.11.0.0 < 8.11.1.1
   ArubanetworksMc-va-10 Version-
   ArubanetworksMc-va-1k Version-
   ArubanetworksMc-va-250 Version-
   ArubanetworksMc-va-50 Version-
   ArubanetworksMcr-va-10k Version-
   ArubanetworksMcr-va-1k Version-
   ArubanetworksMcr-va-50 Version-
   ArubanetworksMcr-va-500 Version-
   ArubanetworksMcr-va-5k Version-
   ArubanetworksSd-wan Version-
   ArubanetworksMcr-hw-10k Version-
   ArubanetworksMcr-hw-1k Version-
   ArubanetworksMcr-hw-5k Version-
ArubanetworksArubaos Version >= 10.4.0.0 < 10.4.0.2
   ArubanetworksMc-va-10 Version-
   ArubanetworksMc-va-1k Version-
   ArubanetworksMc-va-250 Version-
   ArubanetworksMc-va-50 Version-
   ArubanetworksMcr-va-10k Version-
   ArubanetworksMcr-va-1k Version-
   ArubanetworksMcr-va-50 Version-
   ArubanetworksMcr-va-500 Version-
   ArubanetworksMcr-va-5k Version-
   ArubanetworksSd-wan Version-
   ArubanetworksMcr-hw-10k Version-
   ArubanetworksMcr-hw-1k Version-
   ArubanetworksMcr-hw-5k Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.3% 0.527
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-alert@hpe.com 8.8 2.1 6
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.