// For flags

CVE-2016-8526

Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting

Severity Score

8.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to an XML external entities (XXE). XXEs are a way to permit XML parsers to access storage that exist on external systems. If an unprivileged user is permitted to control the contents of XML files, XXE can be used as an attack vector. Because the XML parser has access to the local filesystem and runs with the permissions of the web server, it can access any file that is readable by the web server and copy it to an external system of the attacker's choosing. This could include files that contain passwords, which could then lead to privilege escalation.

Aruba Airwave, en todas las versiones hasta la 8.2.3.1 (no incluida), es vulnerable a XEE (XML External Entity). Los XEE son una forma de permitir que los analizadores XML accedan al almacenamiento de sistemas externos. Si se le permite a un usuario sin privilegios controlar el contenido de archivos XML, XEE puede emplearse como vector de ataque. Debido a que el analizador XML tiene acceso al sistema de archivos local y se ejecuta con los permisos del servidor web, puede acceder a cualquier archivo que sea legible por el servidor web y copiarlo a un sistema externo escogido por el atacante. Esto podría incluir archivos que contienen contraseñas, lo que podría conducir a un escalado de privilegios.

Aruba AirWave versions 8.2.3 and below suffer from XXE injection and cross site scripting vulnerabilities.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-10-07 CVE Reserved
  • 2017-03-01 CVE Published
  • 2024-05-21 EPSS Updated
  • 2024-08-06 CVE Updated
  • 2024-08-06 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Hp
Search vendor "Hp"
Airwave
Search vendor "Hp" for product "Airwave"
< 8.2.3.1
Search vendor "Hp" for product "Airwave" and version " < 8.2.3.1"
-
Affected