Sign-up

ID

VAR-201604-0554


CVE

CVE-2015-7676


TITLE

Ipswitch MOVEit File Transfer Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2015-007089

DESCRIPTION

Ipswitch MOVEit File Transfer (formerly DMZ) 8.1 and earlier, when configured to support file view on download, allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading HTML files. Ipswitch MOVEit File Transfer is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. Ipswitch MOVEit File Transfer versions 8.1 and prior are vulnerable. The system supports control, management, and visibility into all business-critical file transfer activities through a single, secure system

Trust: 1.98

sources: NVD: CVE-2015-7676 // JVNDB: JVNDB-2015-007089 // BID: 90574 // VULHUB: VHN-85637

AFFECTED PRODUCTS

vendor:ipswitchmodel:moveit dmzscope:lteversion:8.1

Trust: 1.8

vendor:ipswitchmodel:moveit dmzscope:eqversion:8.1

Trust: 0.6

sources: JVNDB: JVNDB-2015-007089 // CNNVD: CNNVD-201604-337 // NVD: CVE-2015-7676

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-7676
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-7676
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201604-337
value: LOW

Trust: 0.6

VULHUB: VHN-85637
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2015-7676
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-85637
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-7676
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-85637 // JVNDB: JVNDB-2015-007089 // CNNVD: CNNVD-201604-337 // NVD: CVE-2015-7676

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-85637 // JVNDB: JVNDB-2015-007089 // NVD: CVE-2015-7676

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201604-337

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201604-337

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-007089

PATCH
title:Top Pageurl:https://www.ipswitch.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-007089

EXTERNAL IDS
db:NVDid:CVE-2015-7676
Trust: 2.8
db:PACKETSTORMid:135458
Trust: 1.7
db:BIDid:90574
Trust: 1.4
db:JVNDBid:JVNDB-2015-007089
Trust: 0.8
db:CNNVDid:CNNVD-201604-337
Trust: 0.7
db:VULHUBid:VHN-85637
Trust: 0.1
sources:
            
            
            VULHUB: VHN-85637 // 
            
            
            
            BID: 90574 // 
            
            
            
            JVNDB: JVNDB-2015-007089 // 
            
            
            
            CNNVD: CNNVD-201604-337 // 
            
            
            
            NVD: CVE-2015-7676

REFERENCES
url:http://seclists.org/fulldisclosure/2016/jan/95
Trust: 1.7
url:http://packetstormsecurity.com/files/135458/ipswitch-moveit-dmz-8.1-persistent-cross-site-scripting.html
Trust: 1.7
url:https://profundis-labs.com/advisories/cve-2015-7676.txt
Trust: 1.7
url:http://www.securityfocus.com/bid/90574
Trust: 1.1
url:https://www.profundis-labs.com/advisories/cve-2015-7676.txt
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7676
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7676
Trust: 0.8
url:http://www.ipswitchft.com
Trust: 0.3
sources:
            
            
            VULHUB: VHN-85637 // 
            
            
            
            BID: 90574 // 
            
            
            
            JVNDB: JVNDB-2015-007089 // 
            
            
            
            CNNVD: CNNVD-201604-337 // 
            
            
            
            NVD: CVE-2015-7676

CREDITS
Profundis Labs.
Trust: 0.3
sources:
            
            
            BID: 90574

SOURCES
db:VULHUBid:VHN-85637
db:BIDid:90574
db:JVNDBid:JVNDB-2015-007089
db:CNNVDid:CNNVD-201604-337
db:NVDid:CVE-2015-7676

LAST UPDATE DATE
2025-04-13T23:27:25.985000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-85637date:2016-11-28T00:00:00
db:BIDid:90574date:2016-07-06T14:39:00
db:JVNDBid:JVNDB-2015-007089date:2016-04-22T00:00:00
db:CNNVDid:CNNVD-201604-337date:2016-04-18T00:00:00
db:NVDid:CVE-2015-7676date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-85637date:2016-04-15T00:00:00
db:BIDid:90574date:2016-01-27T00:00:00
db:JVNDBid:JVNDB-2015-007089date:2016-04-22T00:00:00
db:CNNVDid:CNNVD-201604-337date:2016-04-18T00:00:00
db:NVDid:CVE-2015-7676date:2016-04-15T15:59:01.080