CVE-2016-8527

Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting

Severity Score

6.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to a reflected cross-site scripting (XSS). The vulnerability is present in the VisualRF component of AirWave. By exploiting this vulnerability, an attacker who can trick a logged-in AirWave administrative user into clicking a link could obtain sensitive information, such as session cookies or passwords. The vulnerability requires that an administrative users click on the malicious link while currently logged into AirWave in the same browser.

Aruba Airwave, en todas las versiones hasta la 8.2.3.1 (no incluida), es vulnerable a Cross-Site Scripting (XSS) reflejado. La vulnerabilidad está presente en el componente VisualRF de AirWave. Al explotar esta vulnerabilidad, un atacante que pueda engañar a un usuario administrativo de AirWave que haya iniciado sesión para que haga clic en un enlace podrá obtener información sensible, como las cookies de sesión o las contraseñas. La vulnerabilidad requiere que el usuario administrativo haga clic en el enlace malicioso mientras tiene la sesión iniciada en AirWave en el mismo navegador.

Aruba AirWave versions 8.2.3 and below suffer from XXE injection and cross site scripting vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-10-07 CVE Reserved
2017-03-01 CVE Published
2024-03-01 EPSS Updated
2024-08-06 CVE Updated
2024-08-06 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (3)

URL	Tag	Source
http://www.securityfocus.com/bid/96495	Third Party Advisory

URL	Date	SRC
https://www.exploit-db.com/exploits/41482	2024-08-06

URL	Date	SRC

URL	Date	SRC
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-001.txt	2018-10-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Hp Search vendor "Hp"		Airwave Search vendor "Hp" for product "Airwave"				< 8.2.3.1 Search vendor "Hp" for product "Airwave" and version " < 8.2.3.1"		-		Affected