// For flags

CVE-2016-8527

Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting

Severity Score

6.1
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to a reflected cross-site scripting (XSS). The vulnerability is present in the VisualRF component of AirWave. By exploiting this vulnerability, an attacker who can trick a logged-in AirWave administrative user into clicking a link could obtain sensitive information, such as session cookies or passwords. The vulnerability requires that an administrative users click on the malicious link while currently logged into AirWave in the same browser.

Aruba Airwave, en todas las versiones hasta la 8.2.3.1 (no incluida), es vulnerable a Cross-Site Scripting (XSS) reflejado. La vulnerabilidad está presente en el componente VisualRF de AirWave. Al explotar esta vulnerabilidad, un atacante que pueda engañar a un usuario administrativo de AirWave que haya iniciado sesión para que haga clic en un enlace podrá obtener información sensible, como las cookies de sesión o las contraseñas. La vulnerabilidad requiere que el usuario administrativo haga clic en el enlace malicioso mientras tiene la sesión iniciada en AirWave en el mismo navegador.

Aruba AirWave versions 8.2.3 and below suffer from XXE injection and cross site scripting vulnerabilities.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-10-07 CVE Reserved
  • 2017-03-01 CVE Published
  • 2024-03-01 EPSS Updated
  • 2024-08-06 CVE Updated
  • 2024-08-06 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Hp
Search vendor "Hp"
Airwave
Search vendor "Hp" for product "Airwave"
< 8.2.3.1
Search vendor "Hp" for product "Airwave" and version " < 8.2.3.1"
-
Affected