Hi,

Linked is a gist detailing a few vulnerabilities I found in HP Release
Control 9.20.0000, Build 395.

You can download it on the On-premise software tab here:
http://www8.hp.com/us/en/software-solutions/software.html?compURI=1350467#.U3aJWl5-_8s

Basically, the first request an admin makes when on the user
configuration page when poplulating the user grid any user can make.
Using this, you can find out the admin's ID (and password hash!), which
can be used when sending a request to the password change AMF endpoint
to change the admin password. After that, you can log in as admin, then
exploit an XXE vuln in the dashboard import mechanism.

For some reason it always fails to login as the admin the first run. I
am not sure if it is a race condition or what, but just rerun it. A
sample run is included at the bottom of the module.

https://gist.github.com/brandonprry/1ed5633fa7ba18538f02