CVE-2009-3843

HP Operations Manager 8.10 on Windows contains a "hidden account" in the XML file that specifies Tomcat users, which allows remote attackers to conduct unrestricted file upload attacks, and thereby execute arbitrary code, by using the org.apache.catalina.manager.HTMLManagerServlet class to make requests to manager/html/upload.

Published: Nov 24, 2009
Updated: Apr 13, 2023
CVE: CVE-2009-3843
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 10
AV:N/AC:L/Au:N/C:C/I:C/A:C

CWEs:

CWE-264

Affected Software
References

Software	From	Fixed in
hp / operations_manager	8.10	8.10.x

http://marc.info/?l=bugtraq&m=125873415424980&w=2
http://secunia.com/advisories/37444
http://securitytracker.com/id?1023222
http://www.osvdb.org/60317
http://www.zerodayinitiative.com/advisories/ZDI-09-085/
https://exchange.xforce.ibmcloud.com/vulnerabilities/54361

Vulnerability Database

289,697

CVE-2009-3843