CVE-2013-3575
Description
hpdiags/frontend2/help/pageview.php in HP Insight Diagnostics 9.4.0.4710 does not properly restrict PHP include or require statements, which allows remote attackers to include arbitrary hpdiags/frontend2/help/ .html files via the path parameter.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
HP Insight Diagnostics 9.4.0.4710 - Local File Inclusion
source: https://www.securityfocus.com/bid/60449/info
HP Insight Diagnostics is prone to a local file include vulnerability because it fails to adequately validate user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts. This could allow the attacker to compromise the application and the computer; other attacks are also possible.
HP Insight Diagnostics 9.4.0.4710 is vulnerable; other versions may also be affected.
https://www.example.com/hpdiags/frontend2/help/pageview.php?path=comparesurvey.html Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| hp | insight_diagnostics | 9.4.0.4710 | |
References
CWEs
CWE-20
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.