CVE-2009-3843

HP Operations Manager - Access Control

Title source: rule

Description

HP Operations Manager 8.10 on Windows contains a "hidden account" in the XML file that specifies Tomcat users, which allows remote attackers to conduct unrestricted file upload attacks, and thereby execute arbitrary code, by using the org.apache.catalina.manager.HTMLManagerServlet class to make requests to manager/html/upload.

Exploits (1)

exploitdb WORKING POC

rubyremotemultiple

https://www.exploit-db.com/exploits/16317

View on exploitdb

References (6)

[Mailing List] http://marc.info/?l=bugtraq&m=125873415424980&w=2

[Vendor Advisory] http://secunia.com/advisories/37444

[Third Party Advisory] http://www.zerodayinitiative.com/advisories/ZDI-09-085/

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/54361

[Third Party Advisory, VDB Entry] http://www.osvdb.org/60317

[Third Party Advisory, VDB Entry] http://securitytracker.com/id?1023222

Scores

EPSS 0.8683

EPSS Percentile 99.4%

Classification

CWE

CWE-264

Status draft

Affected Products (1)

hp/operations_manager

Timeline

Published Nov 24, 2009

Tracked Since Feb 18, 2026