CVE-2015-1389

Name of the Vulnerable Software and Affected Versions Aruba Networks ClearPass Policy Manager versions prior to 6.4.5

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the username parameter to the "tips/tipsLoginSubmit.action" API endpoint.

Recommendations For versions prior to 6.4.5, update to version 6.4.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "tips/tipsLoginSubmit.action" API endpoint to minimize the risk of exploitation. Avoid using the username parameter in the affected API endpoint until the issue is resolved.