Lucene search

MitreCVE-2016-3968

HistoryApr 06, 2016 - 6:59 p.m.

CVE-2016-3968

2016-04-0618:59:00

CWE-79

mitre

web.nvd.nist.gov

cve-2016-3968

cross-site scripting

xss

sophos cyberoam

utm

appliance

security vulnerability

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.002

Percentile

53.4%

JSON

Multiple cross-site scripting (XSS) vulnerabilities in Sophos Cyberoam CR100iNG UTM appliance with firmware 10.6.3 MR-1 build 503, CR35iNG UTM appliance with firmware 10.6.2 MR-1 build 383, and CR35iNG UTM appliance with firmware 10.6.2 Build 378 allow remote attackers to inject arbitrary web script or HTML via the (1) ipFamily parameter to corporate/webpages/trafficdiscovery/LiveConnections.jsp; the (2) ipFamily, (3) applicationname, or (4) username parameter to corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp; or the (5) X-Forwarded-For HTTP header.

Affected configurations

Nvd

Node

sophoscyberoam_cr100ing_utmMatch-

AND

sophoscyberoam_cr100ing_utm_firmwareMatch10.6.3_mr-1_build_503

Node

sophoscyberoam_cr35ing_utmMatch-

AND

sophoscyberoam_cr35ing_utm_firmwareMatch10.6.2_build_378

sophoscyberoam_cr35ing_utm_firmwareMatch10.6.2_mr-1_build_383

VendorProductVersionCPE
sophoscyberoam_cr100ing_utm-cpe:2.3:h:sophos:cyberoam_cr100ing_utm:-:*:*:*:*:*:*:*
sophoscyberoam_cr100ing_utm_firmware10.6.3_mr-1_build_503cpe:2.3:o:sophos:cyberoam_cr100ing_utm_firmware:10.6.3_mr-1_build_503:*:*:*:*:*:*:*
sophoscyberoam_cr35ing_utm-cpe:2.3:h:sophos:cyberoam_cr35ing_utm:-:*:*:*:*:*:*:*
sophoscyberoam_cr35ing_utm_firmware10.6.2_build_378cpe:2.3:o:sophos:cyberoam_cr35ing_utm_firmware:10.6.2_build_378:*:*:*:*:*:*:*
sophoscyberoam_cr35ing_utm_firmware10.6.2_mr-1_build_383cpe:2.3:o:sophos:cyberoam_cr35ing_utm_firmware:10.6.2_mr-1_build_383:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sophos	cyberoam_cr100ing_utm	-	cpe:2.3:h:sophos:cyberoam_cr100ing_utm:-:::::::*
sophos	cyberoam_cr100ing_utm_firmware	10.6.3_mr-1_build_503	cpe:2.3:o:sophos:cyberoam_cr100ing_utm_firmware:10.6.3_mr-1_build_503:::::::*
sophos	cyberoam_cr35ing_utm	-	cpe:2.3:h:sophos:cyberoam_cr35ing_utm:-:::::::*
sophos	cyberoam_cr35ing_utm_firmware	10.6.2_build_378	cpe:2.3:o:sophos:cyberoam_cr35ing_utm_firmware:10.6.2_build_378:::::::*
sophos	cyberoam_cr35ing_utm_firmware	10.6.2_mr-1_build_383	cpe:2.3:o:sophos:cyberoam_cr35ing_utm_firmware:10.6.2_mr-1_build_383:::::::*

References

packetstormsecurity.com/files/136561/Sophos-Cyberoam-NG-Series-Cross-Site-Scripting.html

www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5313.php

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.002

Percentile

53.4%

JSON

Related for CVE-2016-3968