HPE Aruba Networking EdgeConnect SD-WAN Orchestrator Authenticated Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the web-based management interface of HPE Aruba Networking EdgeConnect SD-WAN Orchestrator. This vulnerability allows an authenticated remote attacker to execute arbitrary script code in the context of the affected interface, potentially leading to unauthorized configuration changes on the host. The issue affects EdgeConnect SD-WAN Orchestrator versions 9.6.0, 9.5.5 and below, and 9.4.4 and below. Additionally, all builds of versions 9.3.x and 9.2.x and older are affected, with the latter being end of maintenance.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the victim's browser, potentially leading to unauthorized changes in the Orchestrator interface.

Remediation

Users are advised to upgrade to EdgeConnect SD-WAN Orchestrator version 9.6.1 and above or 9.5.6 and above. For versions 9.3.6 and above and 9.4.3 and above, this specific vulnerability has already been addressed.