CVE-2022-43525

Multiple vulnerabilities within the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators – Orchestrator 9.2.1.40179 and below, – Orchestrator 9.1.4.40436 and below, – Orchestrator 9.0.7.40110 and below, – Orchestrator 8.10.23.40015 and below, – Any older branches of Orchestrator not specifically mentioned.

Source: CVE-2022-43525

CVE-2022-37934

A potential security vulnerability has been identified in HPE OfficeConnect 1820, and 1850 switch series. The vulnerability could be remotely exploited to allow remote directory traversal in HPE OfficeConnect 1820 switch series version PT.02.17 and below, HPE OfficeConnect 1850 switch series version PC.01.23 and below, and HPE OfficeConnect 1850 (10G aggregator) switch version PO.01.22 and below.

Source: CVE-2022-37934

CVE-2022-43522

Multiple vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the Aruba EdgeConnect Enterprise Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the Aruba EdgeConnect Enterprise Orchestrator host in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators – Orchestrator 9.2.1.40179 and below, – Orchestrator 9.1.4.40436 and below, – Orchestrator 9.0.7.40110 and below, – Orchestrator 8.10.23.40015 and below, – Any older branches of Orchestrator not specifically mentioned.

Source: CVE-2022-43522

CVE-2022-43520

Multiple vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the Aruba EdgeConnect Enterprise Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the Aruba EdgeConnect Enterprise Orchestrator host in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators – Orchestrator 9.2.1.40179 and below, – Orchestrator 9.1.4.40436 and below, – Orchestrator 9.0.7.40110 and below, – Orchestrator 8.10.23.40015 and below, – Any older branches of Orchestrator not specifically mentioned.

Source: CVE-2022-43520

CVE-2022-43521

Multiple vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the Aruba EdgeConnect Enterprise Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the Aruba EdgeConnect Enterprise Orchestrator host in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators – Orchestrator 9.2.1.40179 and below, – Orchestrator 9.1.4.40436 and below, – Orchestrator 9.0.7.40110 and below, – Orchestrator 8.10.23.40015 and below, – Any older branches of Orchestrator not specifically mentioned.

Source: CVE-2022-43521

CVE-2022-43519

Multiple vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the Aruba EdgeConnect Enterprise Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the Aruba EdgeConnect Enterprise Orchestrator host in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators – Orchestrator 9.2.1.40179 and below, – Orchestrator 9.1.4.40436 and below, – Orchestrator 9.0.7.40110 and below, – Orchestrator 8.10.23.40015 and below, – Any older branches of Orchestrator not specifically mentioned.

Source: CVE-2022-43519

CVE-2022-22371

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 221195.

Source: CVE-2022-22371

CVE-2021-25223

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is unused by its CNA. Notes: none.

Source: CVE-2021-25223

CVE-2022-34330

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 229469.

Source: CVE-2022-34330

CVE-2022-37933

A potential security vulnerability has been identified in HPE Superdome Flex and Superdome Flex 280 servers. The vulnerability could be exploited to allow local unauthorized data injection. HPE has made the following software updates to resolve the vulnerability in HPE Superdome Flex firmware 3.60.50 and below and Superdome Flex 280 servers firmware 1.40.60 and below.

Source: CVE-2022-37933