HP Client Security Manager 8.3.4 Cross-Site Scripting Vulnerability

Title: HP Client Security Manager 8.3.4 Cross-Site Scripting Vulnerability
Advisory ID: ZSL-2016-5299
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 28.01.2016
Summary
HP Client Security Manager provides enhanced Windows login and website single-sign-on capabilities. Security Manager is also the host for HP Client Security plugins and should be installed before other Client Security modules. This package is provided for supported notebook models running a supported operating system.
Description
HP Client Security Manager is prone to XSS attacks because of lacking sanitization of data from HTML forms. It makes any site vulnerable even without XSS presence on the site.
Vendor
HP Inc. - http://www.hp.com
Affected Version
8.3.4.1811
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vendor Status
[09.10.2015] Vulnerability discovered.
[10.10.2015] Vendor contacted.
[12.10.2015] Vendor responds asking more details.
[13.10.2015] Sent details to the vendor.
[04.11.2015] Vendor is working on the issue.
[11.01.2016] Asked vendor for status update.
[17.01.2016] No reply from the vendor.
[18.01.2016] Asked vendor for status update.
[27.01.2016] No response from the vendor.
[28.01.2016] Public security advisory released.
[28.01.2016] Vendor promises fix in the next release on 26.02.2016.
PoC
hpcsm_xss.txt
Credits
Vulnerability discovered by Ewerson Guimaraes - <crash@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/135570
[2] https://cxsecurity.com/issue/WLB-2016020023
[3] http://www.securityfocus.com/bid/82406
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/110333
Changelog
[28.01.2016] - Initial release
[31.01.2016] - Added vendor status
[02.02.2016] - Added reference [1] and [2]
[14.02.2016] - Added reference [3] and [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk