Details of VAR-201604-0098

ID

VAR-201604-0098

CVE

CVE-2016-3969

TITLE

McAfee Email Gateway Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2016-001939

DESCRIPTION

Cross-site scripting (XSS) vulnerability in McAfee Email Gateway (MEG) 7.6.x before 7.6.404, when File Filtering is enabled with the action set to ESERVICES:REPLACE, allows remote attackers to inject arbitrary web script or HTML via an attachment in a blocked email. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. McAfee Email Gateway 7.6 is vulnerable; other versions may also be affected. The solution offers incoming threat protection, outgoing encryption, data loss prevention, and more

Trust: 1.98

sources: NVD: CVE-2016-3969 // JVNDB: JVNDB-2016-001939 // BID: 85789 // VULHUB: VHN-92788

AFFECTED PRODUCTS

vendor:	mcafee	model:	email gateway	scope:	eq	version:	7.6.2	Trust: 1.6
vendor:	mcafee	model:	email gateway	scope:	eq	version:	7.6.1	Trust: 1.6
vendor:	mcafee	model:	email gateway	scope:	eq	version:	7.6.4	Trust: 1.6
vendor:	mcafee	model:	email gateway	scope:	eq	version:	7.6	Trust: 1.6
vendor:	mcafee	model:	email gateway	scope:	eq	version:	7.6.3	Trust: 1.6
vendor:	mcafee	model:	email gateway	scope:	eq	version:	7.6.404	Trust: 0.8
vendor:	mcafee	model:	email gateway	scope:	lt	version:	7.6.x	Trust: 0.8

sources: JVNDB: JVNDB-2016-001939 // CNNVD: CNNVD-201604-037 // NVD: CVE-2016-3969

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-3969
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-3969
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201604-037
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-92788
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-3969
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-92788
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-3969
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-92788 // JVNDB: JVNDB-2016-001939 // CNNVD: CNNVD-201604-037 // NVD: CVE-2016-3969

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-92788 // JVNDB: JVNDB-2016-001939 // NVD: CVE-2016-3969

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201604-037

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201604-037

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-001939

PATCH

title:	SB10153	url:	https://kc.mcafee.com/corporate/index?page=content&id=SB10153	Trust: 0.8
title:	McAfee Email Gateway Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60772	Trust: 0.6

sources: JVNDB: JVNDB-2016-001939 // CNNVD: CNNVD-201604-037

EXTERNAL IDS

db:	NVD	id:	CVE-2016-3969	Trust: 2.8
db:	MCAFEE	id:	SB10153	Trust: 1.7
db:	SECTRACK	id:	1035470	Trust: 1.1
db:	JVNDB	id:	JVNDB-2016-001939	Trust: 0.8
db:	CNNVD	id:	CNNVD-201604-037	Trust: 0.7
db:	BID	id:	85789	Trust: 0.4
db:	VULHUB	id:	VHN-92788	Trust: 0.1

sources: VULHUB: VHN-92788 // BID: 85789 // JVNDB: JVNDB-2016-001939 // CNNVD: CNNVD-201604-037 // NVD: CVE-2016-3969

REFERENCES

url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10153	Trust: 1.6
url:	http://www.securitytracker.com/id/1035470	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-3969	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-3969	Trust: 0.8
url:	http://www.mcafee.com/	Trust: 0.3
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10153	Trust: 0.1

sources: VULHUB: VHN-92788 // BID: 85789 // JVNDB: JVNDB-2016-001939 // CNNVD: CNNVD-201604-037 // NVD: CVE-2016-3969

CREDITS

Wesley Neelen from DearBytes B.V.

Trust: 0.3

sources: BID: 85789

SOURCES

db:	VULHUB	id:	VHN-92788
db:	BID	id:	85789
db:	JVNDB	id:	JVNDB-2016-001939
db:	CNNVD	id:	CNNVD-201604-037
db:	NVD	id:	CVE-2016-3969

LAST UPDATE DATE

2025-04-13T23:09:38.459000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-92788	date:	2016-05-19T00:00:00
db:	BID	id:	85789	date:	2016-07-05T22:03:00
db:	JVNDB	id:	JVNDB-2016-001939	date:	2016-04-08T00:00:00
db:	CNNVD	id:	CNNVD-201604-037	date:	2016-04-07T00:00:00
db:	NVD	id:	CVE-2016-3969	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-92788	date:	2016-04-06T00:00:00
db:	BID	id:	85789	date:	2016-03-30T00:00:00
db:	JVNDB	id:	JVNDB-2016-001939	date:	2016-04-08T00:00:00
db:	CNNVD	id:	CNNVD-201604-037	date:	2016-04-07T00:00:00
db:	NVD	id:	CVE-2016-3969	date:	2016-04-06T18:59:01.277