Sign-up

ID

VAR-201604-0097


CVE

CVE-2016-3968


TITLE

Sophos Cyberoam CR100iNG UTM and CR35iNG UTM Appliance firmware cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2016-001941

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in Sophos Cyberoam CR100iNG UTM appliance with firmware 10.6.3 MR-1 build 503, CR35iNG UTM appliance with firmware 10.6.2 MR-1 build 383, and CR35iNG UTM appliance with firmware 10.6.2 Build 378 allow remote attackers to inject arbitrary web script or HTML via the (1) ipFamily parameter to corporate/webpages/trafficdiscovery/LiveConnections.jsp; the (2) ipFamily, (3) applicationname, or (4) username parameter to corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp; or the (5) X-Forwarded-For HTTP header. (1) corporate/webpages/trafficdiscovery/LiveConnections.jsp of ipFamily Parameters (2) corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp of ipFamily Parameters (3) corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp of applicationname Parameters (4) corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp of username Parameters (5) X-Forwarded-For HTTP header. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected application. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Cyberoam NG series of Unified Threat Management appliances arethe Next-Generation network security appliances that include UTM securityfeatures along with performance required for future networks. The NG seriesfor SMEs are the 'fastest UTMs' made for this segment. The best-in-classhardware along with software to match, enables the NG series to offer unmatchedthroughput speeds, compared to any other UTM appliance in this market segment.This assures support for future IT trends in organizations like high-speedInternet and rising number of devices in organizations – offering future-readysecurity to SMEs.Multiple reflected XSS issues were discovered in Cyberoam NG appliances.Input passed via the 'ipFamily', 'applicationname' and 'username' GET parametersto LiveConnections.jsp and LiveConnectionDetail.jsp is not properly sanitisedbefore being returned to the user. Adding arbitrary 'X-Forwarded-For' HTTP headerto a request makes the appliance also prone to a XSS issue. Sophos Cyberoam CR100iNG UTM, CR35iNG UTM and CR35iNG UTM are all new-generation firewalls running CyberoamOS operating system from British Sophos Company, which provide online application detection and control, web filtering, HTTPS inspection, intrusion prevention and other functions. The vulnerability stems from the fact that the corporate/webpages/trafficdiscovery/LiveConnections.jsp script does not fully filter the 'ipFamily' parameter; the corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp script does not fully filter the 'ipFamily' , 'applicationname', and 'username' parameters; the program did not adequately filter the X-Forwarded-For HTTP header. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML

Trust: 2.07

sources: NVD: CVE-2016-3968 // JVNDB: JVNDB-2016-001941 // BID: 85892 // ZSL: ZSL-2016-5313 // VULHUB: VHN-92787

AFFECTED PRODUCTS

vendor:sophosmodel:cyberoam cr100ing utmscope:eqversion:10.6.3_mr-1_build_503

Trust: 1.0

vendor:sophosmodel:cyberoam cr35ing utmscope:eqversion:10.6.2_build_378

Trust: 1.0

vendor:sophosmodel:cyberoam cr35ing utmscope:eqversion:10.6.2_mr-1_build_383

Trust: 1.0

vendor:sophosmodel:cyberoam cr100ing utmscope:eqversion:10.6.3 mr-1 build 503

Trust: 0.8

vendor:sophosmodel:cyberoam cr35ing utmscope:eqversion:10.6.2 build 378

Trust: 0.8

vendor:sophosmodel:cyberoam cr35ing utmscope:eqversion:10.6.2 mr-1 build 383

Trust: 0.8

vendor:sophosmodel:cyberoam cr35ing utmscope:eqversion: -

Trust: 0.6

vendor:sophosmodel:cyberoam cr100ing utmscope:eqversion: -

Trust: 0.6

vendor:sophos pvtmodel:cyberoam ng series multiple cross-site scripting vulnerabilitiesscope:eqversion:fw: 10.6.3 mr-1 (build 503)

Trust: 0.1

vendor:sophos pvtmodel:cyberoam ng series multiple cross-site scripting vulnerabilitiesscope:eqversion:fw: 10.6.2 mr-1 (build 383)

Trust: 0.1

vendor:sophos pvtmodel:cyberoam ng series multiple cross-site scripting vulnerabilitiesscope:eqversion:fw: 10.6.2 (build 378)

Trust: 0.1

sources: ZSL: ZSL-2016-5313 // JVNDB: JVNDB-2016-001941 // CNNVD: CNNVD-201604-036 // NVD: CVE-2016-3968

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-3968
value: MEDIUM

Trust: 1.0

NVD: CVE-2016-3968
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201604-036
value: MEDIUM

Trust: 0.6

ZSL: ZSL-2016-5313
value: (2/5)

Trust: 0.1

VULHUB: VHN-92787
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-3968
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-92787
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-3968
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: ZSL: ZSL-2016-5313 // VULHUB: VHN-92787 // JVNDB: JVNDB-2016-001941 // CNNVD: CNNVD-201604-036 // NVD: CVE-2016-3968

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-92787 // JVNDB: JVNDB-2016-001941 // NVD: CVE-2016-3968

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201604-036

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201604-036

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-001941

EXPLOIT AVAILABILITY
sources:
            
            
            ZSL: ZSL-2016-5313

PATCH
title:CR100iNG UTMurl:http://www.cyberoam.com/downloads/datasheet/CyberoamCR100iNG.pdf
Trust: 0.8
title:CR35iNG UTMurl:http://www.cyberoam.com/downloads/datasheet/CyberoamCR35iNG.pdf
Trust: 0.8
title:Multiple Sophos Cyberoam Fixes for product cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60771
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2016-001941 // 
            
            
            
            CNNVD: CNNVD-201604-036

EXTERNAL IDS
db:NVDid:CVE-2016-3968
Trust: 2.9
db:ZSLid:ZSL-2016-5313
Trust: 2.6
db:PACKETSTORMid:136561
Trust: 1.8
db:JVNDBid:JVNDB-2016-001941
Trust: 0.9
db:CNNVDid:CNNVD-201604-036
Trust: 0.7
db:BIDid:85892
Trust: 0.4
db:CXSECURITYid:WLB-2016040025
Trust: 0.1
db:VULDBid:81644
Trust: 0.1
db:VULHUBid:VHN-92787
Trust: 0.1
sources:
            
            
            ZSL: ZSL-2016-5313 // 
            
            
            
            VULHUB: VHN-92787 // 
            
            
            
            BID: 85892 // 
            
            
            
            JVNDB: JVNDB-2016-001941 // 
            
            
            
            CNNVD: CNNVD-201604-036 // 
            
            
            
            NVD: CVE-2016-3968

REFERENCES
url:http://www.zeroscience.mk/en/vulnerabilities/zsl-2016-5313.php
Trust: 2.5
url:http://packetstormsecurity.com/files/136561/sophos-cyberoam-ng-series-cross-site-scripting.html
Trust: 1.7
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-3968
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-3968
Trust: 0.9
url:http://www.sophos.com/
Trust: 0.3
url:https://docs.cyberoam.com/default.asp?id=447&lang=1&sid=
Trust: 0.1
url:https://cxsecurity.com/issue/wlb-2016040025
Trust: 0.1
url:https://packetstormsecurity.com/files/136561
Trust: 0.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/111980
Trust: 0.1
url:http://vuldb.com/?id.81644
Trust: 0.1
url:http://jvndb.jvn.jp/ja/contents/2016/jvndb-2016-001941.html
Trust: 0.1
url:http://tech.cert-hungary.hu/vulnerabilities/ch-13158
Trust: 0.1
sources:
            
            
            ZSL: ZSL-2016-5313 // 
            
            
            
            VULHUB: VHN-92787 // 
            
            
            
            BID: 85892 // 
            
            
            
            JVNDB: JVNDB-2016-001941 // 
            
            
            
            CNNVD: CNNVD-201604-036 // 
            
            
            
            NVD: CVE-2016-3968

CREDITS
Gjoko Krstic
Trust: 0.3
sources:
            
            
            BID: 85892

SOURCES
db:ZSLid:ZSL-2016-5313
db:VULHUBid:VHN-92787
db:BIDid:85892
db:JVNDBid:JVNDB-2016-001941
db:CNNVDid:CNNVD-201604-036
db:NVDid:CVE-2016-3968

LAST UPDATE DATE
2025-04-13T23:18:00.671000+00:00

SOURCES UPDATE DATE
db:ZSLid:ZSL-2016-5313date:2016-04-11T00:00:00
db:VULHUBid:VHN-92787date:2016-04-07T00:00:00
db:BIDid:85892date:2016-04-04T00:00:00
db:JVNDBid:JVNDB-2016-001941date:2016-04-08T00:00:00
db:CNNVDid:CNNVD-201604-036date:2016-04-07T00:00:00
db:NVDid:CVE-2016-3968date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:ZSLid:ZSL-2016-5313date:2016-04-04T00:00:00
db:VULHUBid:VHN-92787date:2016-04-06T00:00:00
db:BIDid:85892date:2016-04-04T00:00:00
db:JVNDBid:JVNDB-2016-001941date:2016-04-08T00:00:00
db:CNNVDid:CNNVD-201604-036date:2016-04-07T00:00:00
db:NVDid:CVE-2016-3968date:2016-04-06T18:59:00.120