CVE-2021-26589
MEDIUMHPE Superdome Flex Firmware < 3.40.106 - Cross-Site Scripting via Missing HttpOnly Attribute in Session Cookie
Title source: llmDescription
A potential security vulnerability has been identified in HPE Superdome Flex Servers. The vulnerability could be remotely exploited to allow Cross Site Scripting (XSS) because the Session Cookie is missing an HttpOnly Attribute. HPE has provided a firmware update to resolve the vulnerability in HPE Superdome Flex Servers.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04199en_us
Scores
CVSS v3
6.1
EPSS
0.0053
EPSS Percentile
40.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-732
Status
published
Products (2)
hpe/superdome_flex_280_firmware
< 3.40.106
hpe/superdome_flex_firmware
< 3.40.106
Published
Oct 19, 2021
Tracked Since
Feb 18, 2026